23542300x800000000000000024653Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:35:58.691{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754B364EE577CAE31528ADF09ABB5CFA,SHA256=D195FA48AF2B393353179D79EB9BA56DB3ED5353CEAB41DBD9593E7FCD8F7D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043599Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:35:58.667{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133DE2AEC6C1925B5A20745BC9B24BB9,SHA256=1E72E044E4703E04277665685C6EDC49C7ACA985A0B3796724C2FEF0B4F52F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043601Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:35:59.685{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B306622C0BD3E358A9366E674CA17C3,SHA256=89F0F8EB28947B487FA67B695FEBDEF554C4277CD092751B9F6CF3367A799525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024654Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:35:59.691{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCF40759218BE898ADE05577604FCD2,SHA256=B4EE4FEB61AF2BC4EC63DDB5B38F6D89B91A6463DA452DC6A1DBE523C43A70EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043600Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:35:56.843{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51570-false10.0.1.12-8000- 23542300x800000000000000024655Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:00.691{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94ADB179597204694D35BFDF0D5A85C,SHA256=F05FFEC94A0D974C49C95D900A7612179083955533430FF87F6480D6C7563ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043602Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:00.716{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197DA1B6FECCBCFE37EC07C73C3E426A,SHA256=7E5EAFAD576927CE2CC8A6FB4ACBAC4B6507A7A01AAA429375BBBB104F1B8B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024657Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:01.691{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D843188A94E9DD8B432B43A0AD5DC9F7,SHA256=CFEE0D9A4123A054FD5BF547D7C4B74DAF23C993F765D01EEE952815F92BADD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043642Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.764{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B081736BA7AE366E20CC2357E416F1B,SHA256=72B2EBC4CEEB93D36A4D83D3808569CB167B26CBEA89F696597A98E55CDB7E2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024656Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:35:58.975{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000043641Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043640Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043639Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043638Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043637Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043636Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043635Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043634Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043633Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043632Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043631Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043630Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043629Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043628Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043627Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043626Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043625Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043624Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043623Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043622Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043621Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043620Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043619Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043618Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043617Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043616Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043615Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043614Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043613Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043612Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043611Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043610Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043609Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043608Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043607Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043606Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043605Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043604Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043603Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043643Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:02.799{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367560B3D67AA373E090259A992354DB,SHA256=08FD5B1B87B9BE077ED350BFF1B09F647F7278DB206F9C721789158CA69EAA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024658Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:02.707{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB331FBE9B97D6FE68DCB05E1D8E2D6,SHA256=6952D89ADEF3F259CC416D29032F8B7ED8FE59D871C2536AB18152A5D133D80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043646Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:03.830{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9A7AC878152CE557362CDA6F66ECDA,SHA256=9F915B3239C570C774894204BC93068ACAB5E66FF93AE4634327B42EC6F89354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024659Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:03.722{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924D17AE635C027B0F0916692C7FE47E,SHA256=D1A368AAFBED9BE9388965E7595548E5B8B8AF085EBA103C3B4FBF12A6B08D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043645Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:03.299{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=055879BDA4F601FBB7B50EB470046C62,SHA256=4734740FFF25C6EA2B5BC77C0347E4FB282E6A26057863659595246974F1D8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043644Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:03.299{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F627EFE3B0E91B8313514819C808DBEB,SHA256=E75DAD34FEEA7C8C6613C770B613E28AAF17B3C34ABBF7F1629753A51E419BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024660Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:04.722{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A273E7D1BAA6EE11237ACE4D970E8304,SHA256=E4C1A888C5203C7010B2C4EACF4D08EE87ADB7102368ADA0D7120C6C6C4A2577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043655Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.845{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904EE9A33E928972EE23D1CB5DAAF0C7,SHA256=7D17F50631D04ED6512EF3E1F55E6054EE2878C1936B535266BA914DDF757B95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043654Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.566{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1944-6136-B508-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043653Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043652Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043651Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043650Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043649Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.563{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1944-6136-B508-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043648Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.562{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1944-6136-B508-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043647Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.562{323FE7D8-1944-6136-B508-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043675Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.866{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAAB3F4BC84633C67700B2F79FB0C99,SHA256=B884AA5C9C8BF895FB841C86EB313212C3A547BD074E0A801FEA3431033F77DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024689Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.832{FFF7FB96-1945-6136-2F06-00000000F101}6762640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024688Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1945-6136-2F06-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024687Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024686Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024685Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024684Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024683Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024682Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024681Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024680Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024679Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024678Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1945-6136-2F06-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024677Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1945-6136-2F06-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024676Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.630{FFF7FB96-1945-6136-2F06-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024675Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.582{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024674Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:03.991{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50835-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000024673Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.144{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1945-6136-2E06-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024672Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024671Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024670Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024669Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024668Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024667Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024666Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024665Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024664Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024663Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1945-6136-2E06-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024662Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1945-6136-2E06-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024661Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.114{FFF7FB96-1945-6136-2E06-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043674Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1945-6136-B708-00000000F001}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043673Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043672Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043671Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043670Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043669Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1945-6136-B708-00000000F001}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043668Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1945-6136-B708-00000000F001}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043667Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.829{323FE7D8-1945-6136-B708-00000000F001}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043666Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.582{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=055879BDA4F601FBB7B50EB470046C62,SHA256=4734740FFF25C6EA2B5BC77C0347E4FB282E6A26057863659595246974F1D8B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043665Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:02.609{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51571-false10.0.1.12-8000- 10341000x800000000000000043664Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.413{323FE7D8-1945-6136-B608-00000000F001}62402856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043663Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1945-6136-B608-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043662Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043661Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043660Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043659Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043658Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1945-6136-B608-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043657Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1945-6136-B608-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043656Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.215{323FE7D8-1945-6136-B608-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024706Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.832{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A420E2564C94992A09DC21F2D6742F1,SHA256=FD366E5073DAF5212724ECB6E03704ECD5A2C152C9F7D445C8E4FCF654602FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043677Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:06.881{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DF6B4E9C736452B87BD94A384CAC0C6,SHA256=27417EC0035B9B1F946F2473B282640A839DBFFEED3022904F7886081AA30112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043676Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:06.881{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BCA29C5592C1DA62709D096B684527,SHA256=04BDFB16D35D0E42DB2A4EE1ADCE704364064385CA83CE00EBF29F39C53BC5FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024705Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1946-6136-3006-00000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024704Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024703Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024702Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024701Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024700Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024699Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024698Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024697Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024696Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024695Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1946-6136-3006-00000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024694Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1946-6136-3006-00000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024693Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.239{FFF7FB96-1946-6136-3006-00000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024692Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.175{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB9406A8C39258BDDBF56E3E9B2E6BA0,SHA256=31A746E1C0BEC6AD648466DB2D5E10AEEC5EDA1CE88C6EC373B6533F33104188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024691Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.175{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E17652426DD274E60B5BE6263660AA39,SHA256=3C69CA7D34626509B402BA893C73144734CD1761D355FD08DA5DA1EB4F2C046B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024690Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.019{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344A1652EF7DD42995ACADC42760391F,SHA256=A494EDE3A9615172E550146CC09847ADAEDB58714A44AB1F075FF78C78D0474B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043680Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:07.912{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA4D61703F31112C7E53DF13BD2206E,SHA256=CAB1854F07F4D2728A4EACD459FF1DB70B4248D22AF0D9FBF618736626234F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024724Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.870{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE860FFB39A057249845BEABDB2AC4B4,SHA256=7564FAF51D4B90F0921128C5E4A6DDE1F991F9FF9F7C2FD1B67B9C3872AD2088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024723Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.865{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-087MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024722Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.644{FFF7FB96-1947-6136-3106-00000000F101}8003228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024721Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1947-6136-3106-00000000F101}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024720Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024719Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024718Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024717Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024716Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024715Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024714Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024713Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024712Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024711Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1947-6136-3106-00000000F101}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024710Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1947-6136-3106-00000000F101}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024709Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.489{FFF7FB96-1947-6136-3106-00000000F101}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024708Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.413{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000024707Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.285{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB9406A8C39258BDDBF56E3E9B2E6BA0,SHA256=31A746E1C0BEC6AD648466DB2D5E10AEEC5EDA1CE88C6EC373B6533F33104188,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043679Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.123{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51572-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000043678Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.123{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51572-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000043699Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.946{323FE7D8-1948-6136-B908-00000000F001}17006936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043698Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.915{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAD327DC5BCCF1FE54335640B89D5A8,SHA256=8ACD4E8A56199B1F8BAB61583842D9E0B02B1BCEC11E568A6F0C49251BDDC384,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043697Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1948-6136-B908-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043696Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043695Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043694Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043693Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043692Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1948-6136-B908-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043691Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1948-6136-B908-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043690Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.747{323FE7D8-1948-6136-B908-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043689Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.300{323FE7D8-1948-6136-B808-00000000F001}58161168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043688Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1948-6136-B808-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043687Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043686Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043685Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043684Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043683Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1948-6136-B808-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043682Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1948-6136-B808-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043681Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.082{323FE7D8-1948-6136-B808-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024754Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.908{FFF7FB96-1948-6136-3306-00000000F101}8041628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024753Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.864{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-088MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024752Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1948-6136-3306-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024751Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024750Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024749Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024748Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024747Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024746Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024745Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024744Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024743Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024742Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1948-6136-3306-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024741Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1948-6136-3306-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024740Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.739{FFF7FB96-1948-6136-3306-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024739Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.722{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39595E3F70E5980DEC0B486C130633D5,SHA256=BE749E600C10CA24CC02BB176D9817F41FCD24745802CC7376E550AE372EAF11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024738Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.301{FFF7FB96-1948-6136-3206-00000000F101}7202476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024737Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1948-6136-3206-00000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024736Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024735Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024734Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024733Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024732Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024731Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024730Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024729Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024728Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1948-6136-3206-00000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024727Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024726Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1948-6136-3206-00000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024725Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.115{FFF7FB96-1948-6136-3206-00000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043711Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.921{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228A59506E1CFDCEE652C34FF870B2AA,SHA256=CC1193ED0047BC8DF2345037B0E8FA94E6501210F4533EDDE566321107117C5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043710Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.673{323FE7D8-1949-6136-BA08-00000000F001}1003760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043709Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1949-6136-BA08-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043708Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043707Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043706Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043705Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043704Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1949-6136-BA08-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043703Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1949-6136-BA08-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043702Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-1949-6136-BA08-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000043701Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:07.852{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51573-false10.0.1.12-8000- 23542300x800000000000000043700Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.099{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D9E3D04E6D7CD0828AC52621BC8B204,SHA256=A34BD213A6963408EA92C8CDD8E5A965DB43D114028668FEC91A0BCFB2E3CC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024769Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.739{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18C1CB04D1B4EADEEEC00DFADFEEB3F7,SHA256=038C2346C98B80E2E715A27E51469C788C75E1440B229E340BD078BBD81A5A6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024768Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1949-6136-3406-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024767Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024766Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024765Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024764Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024763Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024762Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024761Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024760Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024759Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024758Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1949-6136-3406-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024757Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1949-6136-3406-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024756Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.411{FFF7FB96-1949-6136-3406-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024755Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.079{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A559B0D29ED6BFE6232CA1D3FB6E2CE,SHA256=943B84665195038190CB732EABA40368AC28546927572F7B1C7042694917F1B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043721Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.924{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC32CA7A7A6F62B70A22322505560FE,SHA256=BC0D69677A8B1841D65C69F6CA3C909ACD81C523309B599A0272EA39D1EDC844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024770Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:10.082{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352FA6FCBB22659C93D9E30F0BC69C9D,SHA256=11CA5BEA6CA937729EED4FBE561956FDB5E3EBB52960F648694EE33944D51E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043720Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.424{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F97484470144DF335C9B02AC8FAF784,SHA256=D338F09EA6967C1632FC4497DCBCD69733144D398E86832E8477DDD5ACD3CE44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043719Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-194A-6136-BB08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043718Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043717Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043716Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043715Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043714Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-194A-6136-BB08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043713Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-194A-6136-BB08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043712Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.106{323FE7D8-194A-6136-BB08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043722Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:11.954{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C839C5AA03EE2AB4EBF5C5F92538F4,SHA256=2051DEEEB7B3E1F1EF0D899C99EB967E9DDBD75BA9D2FEE8A6C9BD3C835FFC2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024772Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.960{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024771Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:11.129{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2411B458B0E4DC04CE7941172BA4BFF2,SHA256=7E07CC07522B9BA688E3790127BE00227D4CF1A1C4540554EC5EC06C77B8223E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043723Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:12.969{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F9E55AFE0A79BF6ACBACD60B33751E,SHA256=F577B9625F1EB97D95CD203178AFAAC17705E79F1CED709EF46DE6A051934469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024773Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:12.129{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B921942AABED6E34BBAB122087C506AF,SHA256=B58F824C96A99919F6DE8E503B7AC36722258219B581F14654B749C188752EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043724Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:13.987{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E676702638F9057796105C89971B02,SHA256=1EA749DD11C1C8F5720444BA1715E72BE4FFFB2FB40EC39B6EDF0838FA496D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024774Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:13.129{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05CBFC5D82E8861CFC578E9F9D06625,SHA256=04A8CFB8919D0BB6FFCC4678403C165E2CB1F140623BAC0C34E9AF5583BB57DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024775Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:14.144{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FB360C03B4AF580D53877AAC0274A9,SHA256=C1226AB67B6BE1284B1BC643B34F09702BE3AB2859AC025B5C663E31E16426CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024776Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:15.207{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179218E96E7E2BAA2E8130E699B1E1BF,SHA256=8889935C7DDEC208411FF3D5D1F79D19F9CF53EC4D405FD67993579F5BA90210,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043726Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:13.601{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51574-false10.0.1.12-8000- 23542300x800000000000000043725Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:15.005{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8449FC1F5A57DEF74606349BBA477C44,SHA256=B47E0948E483FA35A3C7589596F40921F826E0D61391E33C25649491B5A10486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024777Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:16.254{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7904B16ECF306305B3FA6CFE7E1C7D4,SHA256=BECF9BE70855FF09B28D80DBBBF6BA5C41A27E7CD23F0018E394E03DBD267E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043727Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:16.020{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955B41A513D223D15E581BC37F980FB1,SHA256=2A2800EAEDE82EF77A462B09D5EDA4578B81515140DBCC1AA773CDA33C20E854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043728Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:17.051{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E6C061E9456E50DA2970382310F8D2,SHA256=C214448565E37217BA25385F0F576F196D8CC2A858BF20ADA8AEB6973F2DB2D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024779Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:15.960{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024778Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:17.285{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D77685CA0D70994DC4263B5E0C1FF4,SHA256=A764890797522FF49B48622727A5C4612C177870CB8BB97CCC0582E9B6EF6192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043729Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:18.083{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F8FCD0C6808C541144AA268EF2A982,SHA256=C6F0202CB4132E1080FF2B510951AF0B476F37E6FF3FC8B2EC7FCA5A3B0F83CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024780Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:18.301{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35917126C8C9EE852711ED11090B1C4,SHA256=B6509A5ED226127AF30BE504923DA423BF1F743BD08108D857BA39EFCD6CBD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024781Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:19.360{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD738DBF2871C70823C6C30B3109548D,SHA256=23F8FB4E375845E9B72522038DBD61B130F872C69E92740B6B42067BB03652D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043731Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:19.483{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-095MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043730Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:19.103{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B291F5C18BB31E0F79902D81D10425A6,SHA256=2300D2073F9D608A4D600B14EBE8E3764F4679DEF2C0D3D24A844603D8672821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024782Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:20.392{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED1E3E734C4B7415DC556ECBAFA0479,SHA256=4A82BA765C50F4FBE8D06A7B3FD550E4EBB95A50E32A5961C394A25A80D9622F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043736Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:18.828{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51575-false10.0.1.12-8000- 23542300x800000000000000043735Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:20.502{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-096MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043734Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:20.117{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4B333B3EEF24E1931BC2A33D5B8ACB,SHA256=1D3A0C83B0786A892232E7AC864A2A1A9075AB1E092C282D4195CEC2A16AE591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043733Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:20.033{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33120D223A941700840F61A3CAD468BF,SHA256=C91B6F45A47A5EEFC50BB145F9CF16A812A678E564AFC6219600B5A704C7691A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043732Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:20.033{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C65B2718071C296AC55EC4138C4FD0DB,SHA256=6535AF10D8EA82074DA141CD054D59A7C4640FC003E53B0527BE6A42698449E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024783Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:21.407{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5C071F2C4F5C951E3411A1876A10A2,SHA256=DBE1F91ABFB328DA585D815182BBF56CFDE934FF2F5BA4D2492F87325788BBD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043738Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:21.600{323FE7D8-022E-6136-0D00-00000000F001}9042288C:\Windows\system32\svchost.exe{323FE7D8-053A-6136-6302-00000000F001}4892C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043737Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:21.132{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418971A3F2D91E6537E5267AA51C5461,SHA256=6DC0A5E8F43769816DFB735BAAA3FF45EF73BAEE90CB649D05533FFF04446EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043739Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:22.147{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DA44D5ED5378E5F45A7F727F63EC8A,SHA256=EC420F5D7A203C6C2A7116B6E012BC5008C1B6B80C010E5433338A558A64EBFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024785Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:21.020{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024784Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:22.407{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82607416A02391A860AC45ACFF106E91,SHA256=1FD881A9FF66F785A026A30215F5F204957820E2F4991E3087666823CC954C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043740Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:23.179{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D860D55ACD1A60481EFA6391F89409A,SHA256=94DD64852BEE8ED07620A9127E4235C1722BE4F99D853B5E5234D06EEAE6E798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024786Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:23.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72052055E4E452979A1D4E5115D54EC,SHA256=F5710E5342E1B0ED969CA1F8F5EC2F01509FC90A9BD824870DE84D91482351D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024787Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:24.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622C7029828F881C9A953D4272DF95B5,SHA256=F3C0C84152DEB7FB594AE7475449BB7B0D9552E23AFA8496628E44C40E72F070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043741Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:24.214{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A38C7490D285872CA8A94F4AD9E722,SHA256=C46CE973F71606AA1E58703DB500F1B7F9BC866521CA63625EF2D84A5AADF855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024788Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:25.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B898C0227797330B9032955B5968DF6,SHA256=612D8BDDC53B5672B91BF4D8BB2578C269CAE2583F47D69D95B847292534E090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043742Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:25.229{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D931B1C1606BD5D77A8C3002EBB58CBD,SHA256=74F7EDD0F1054CF0CB066766C15E66AE08B5AA307E2699F8E3E4E95B406637F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024789Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:26.439{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476149386743B6FCC5339B409EFC8D78,SHA256=E2FFA30A83D936807B968E7EEFF0679CEB0654AD71AEB9317E5921677EAC3E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043744Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:24.807{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51576-false10.0.1.12-8000- 23542300x800000000000000043743Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:26.244{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369BC9FD931EDB8B9C2C474AEFB8154,SHA256=CBE4415D38D7B13BCBE6243D549833D2F695305397322F9E90398B7539393BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024790Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:27.470{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EE5BDC717E0E2C036A3CC2994E83FB,SHA256=F9293468E21DB42F6738F2DE2ABB2703201C4C2F4AC791A06E814698D245CBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043745Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:27.276{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CA0DFB994D206A4B6680D5C1B17E41,SHA256=3C2B10F186852A19540ED5F894039359DF9A35D7D800BBC17F85D57519965089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024792Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:28.501{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA05153AA98FA38FA7EBB91345C87F66,SHA256=E32D40A4C9FBD77D95E6DBB3F21C8ABC525C2B4A05E987A21D17EDA10452460D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043746Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:28.311{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92794DDC90399B39291C700BA58CA1DF,SHA256=BEAE4F52709982EF5CA7B639AF917F052083CEE4AA71906E24985D63A97CDBD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024791Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:26.020{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50840-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024793Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:29.517{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EDD4C4C5521919334781C47667BD02,SHA256=17728DCCF66612519A86200A40800490620F7979FEB96919AACC3B5AE5DEB0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043747Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:29.341{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB270EF50A6614961B1E441DF1424406,SHA256=D831DB30EFB035E3EEB3D630FF710D8553610789FF937BDEE98CD75F7F055448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024794Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:30.532{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A63A0830C6E7E577D4AC829E1494C7,SHA256=462A8249B500DDF17812D2B21D527B11781836F78DC47045D36251AEFEA4E7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043749Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:30.341{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC2CA0D35E75C09C10379A873D675EA,SHA256=C977D840D1BDE9043FBD71EA59B46C12367FF1AA12F21883707F4403E7C6954E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043748Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:30.095{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024795Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:31.532{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878A585F03ACEDB2935FE5A92B0D9058,SHA256=9193ADA1747D5EFFE9B31CCD631F0A1EBC7BF21B7160F4A9E7C57D4A3C56F909,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043751Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:29.667{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51577-false10.0.1.12-8089- 23542300x800000000000000043750Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:31.374{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCD1385BA1EB5E1E37E59D1AF77C55F,SHA256=42DE07BC79DB523CF7BDCE9DF825E83AAE64DF5CE8FDFA66C1D235FD0829C6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024796Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:32.548{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D97EC5997007213014AF546E4C68E0,SHA256=7EC0A6815114393EBA09FC51C4DD4830C0C07A30A17164C6B95301187137B994,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043753Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:30.820{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51578-false10.0.1.12-8000- 23542300x800000000000000043752Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:32.410{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB72FFD21574B14D8BFD6B12C447D,SHA256=8F5FEBF85DEE99C89C5C4EDBACB7389D3FFCCCB5B03E331D01F1EB10C894B747,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024798Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:32.020{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50841-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024797Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:33.579{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41F62FF644D0C6BBBC49CD4CFB6767E,SHA256=B22C1F1ECED8CFE40756C478417ECB4F418057ACF6BF2CD52B6D3FABE1B0AC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043754Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:33.425{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECE5A9BA7B3EF6F6965287458AD8E33,SHA256=1E88AC82D206CD74ADA8A7C223BF8CAF0BCF234E8AAE7259F50D1B2BEBFB31DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024799Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:34.595{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10064B0579E493A82CB17C42F28D888,SHA256=D54ECE270136E34331C5FF32780BD99753580040383F0EFDC1B67E9625C01C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043755Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:34.426{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA2F17105EA147C2034CF4B85D28E74,SHA256=898A7518581C4A75846F5B76DD7D2289E37F2E7E87FA041D7C5BFA98A0E81DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024800Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:35.611{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5036D6C6E421600F9178D3338BBB642,SHA256=F9F58E8CFA7B77BC32BC173A507604C0B1E671D71DC38E56F1C74840A3927FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043756Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:35.440{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5F64F68337DBFEA8DA74BA0DC540A0,SHA256=06C16CDCE3C6BDDFA68FF5D6B76E518DCF4C6AB18DA6F00DE089EF47FB296C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024801Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:36.611{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2604D7A7843AB0716EF9059B5ADF821C,SHA256=C9534FCB5D815C0024FE58C92DABE263751E8AEB7D4D0F68815131C8DAAC8FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043758Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:36.473{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C480385D63C9BE85467F84F00D189E,SHA256=455A8D05DB83DCEF71EBE4585829DE80BC24461C7FBEEF475033E1574F97531C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043757Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:36.172{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=33B9230349D431578A2B7A519E4CF8D0,SHA256=E6BAFCB28AE008FC1CE2056224D7D39E4A6F744EB48F4DC0AA9C140C3345733A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024802Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:37.611{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29538F3BEA7D37F5B1C65187C6C6967,SHA256=5D898E0E812C5FB3E6E61ACFE006DB458E2D79AC6F8352A08760E01ADBF22C66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043760Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:35.834{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51579-false10.0.1.12-8000- 23542300x800000000000000043759Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:37.476{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0F5DBE454F675F0590EE621D326999,SHA256=9BC4F5531AD1A9DC58296073E47E2215342652CE792F9D29B4759C7AD2305099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024803Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:38.631{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0C4E16C25FC420E32F61B087FB012E,SHA256=8F58B05DB08B66255C077E00A6A8363FB55288F70FB11F1D313BDA584407A320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043761Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:38.495{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CB5E186BB7FB6F4C5DC43DC3B557AE,SHA256=323AA382EA4BC56E6CDB4BCF0EB11BAD8630A597AC828514570B2034DBF01154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024805Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:39.662{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79EC160ACD5AA6A98825B129A127AAE,SHA256=5C002764097405C6673B0ADD50CE7C32F28F83D070A213598E066BC94FB5016F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043762Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:39.526{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787206796E694B0F14A188A5E080347A,SHA256=A315A929313B517A90BC6A9A528AB3F514BEB53D15991B92091BE20919FB64AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024804Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:38.020{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024806Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:40.662{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA39B45A1AC378DFEE466F6F9F78415C,SHA256=2858EF2462C2A4CD514D4DE4D035349528E3310B4066F02285E80B976870ADE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043763Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:40.526{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BD3A4A31066C136D246AD2DF3136E2,SHA256=58235EB352E33893D73D1DF523513863D90F0C25460BE9EAE83D1D9AFAAB9EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024807Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:41.678{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B061282196C393D69185978D419DDF26,SHA256=B0B5938C20F38D0D4A115260F4BA2F6E56BB1C06C26CD77BA8A25FF1B4940884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043764Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:41.556{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F83E220ADA8A5944DD841DC304B4D86,SHA256=57A23D746BEE882B1EB2C01AA06DBECEF1483B9C6A40AEA5F956D10BD18A71C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043765Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:42.557{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C894FB12DA81BE02883379097EDD450C,SHA256=72C48E964D66A4E958C8519AA4D21F5B866C59C6775A0CC8B6B2259A262AAC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024808Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:42.678{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D880E92AF2ECE0560EE5EB0107A378,SHA256=8D08C60E3F1BB4F3E76F0D2AC8AFCF4DE890879F203069FE3293082FE06FF746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043766Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:43.594{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E71517C459C25FAE12D43382809180E,SHA256=977CB228C32BEC24B8E71638F6A5B6953CF2DC77366A8A5815151F236D075E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024809Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:43.693{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55E20907A0A1590F0B5293702BF6658,SHA256=AB9A045F2965903989874EB1E7301B3D35BE5B6888F1DD3E82A4CEB53288A382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024810Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:44.756{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993255FEC9B0A3CF0E7F0EEF2E0A0589,SHA256=29A26B1640371E66F2A6C4A238800844B2F26D633F0E4A75A920EC0E49A0481B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043768Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:44.624{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82039DEE7A731CDD79BCDD37C32956C,SHA256=4560B09F04822523C282F4922468CD04E7C3B7E6B7095780664B4D47A4E9E324,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043767Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:41.803{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51580-false10.0.1.12-8000- 23542300x800000000000000024812Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:45.756{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55B8BEB4C63AC5A9D50A6D4463D9B5D,SHA256=B2F1772ED7D9F83E99B1B65DF35277A7EEECF8E139282AFF5D9362B87932CD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043769Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:45.639{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49B2C2E7F479CB28ADEAA949C3DF43D,SHA256=48DF10F055A1EE14DDCA096505A0D78A9739E47E7712569AC56B79CDEFA1D7C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024811Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:43.946{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024813Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:46.787{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1319D6C790A04B70BA67ED7D04C76B,SHA256=BF4890024173B8FE54A7354E00B78A601921E7EE7170796AE1C974245AD7880A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043770Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:46.654{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95ECF002362985698AAFD8EEF4FBE94,SHA256=3C17D9E51EA2101F494F34F7E8F75CE8D3DFE41587233D4D49138A2420A85ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043771Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:47.671{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6599449A010151A001915DC26B70E180,SHA256=62B41A6FA8318B85F8DFA6C8C195509B342EE0B15F3FEEA2F048079FA82506C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024814Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:47.787{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9410AAE78E4F0E583EA36E06FE2C83D9,SHA256=B799155293547B032137649FE8274073B095F6090369E9FA690BD7BD5E18CF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043772Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:48.706{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AA956B3675980F183D93634774E3A6,SHA256=845BCBE3525B718F18A4CE86544F34C91CC3794D1C5A1112AB32646A68CE6418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024815Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:48.818{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B887B92A618FE89F602DA5DB833449,SHA256=F4FA0D337A4765A24DBCB3669C9A6ABE7717D3404FD4E33A1EC8EA365258A7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024816Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:49.850{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87BE138D2C7F9BD0F68D82B021D1B44B,SHA256=B1F7DF3B134F12428436673F1048EB776D297F03091829F753C6C1307D428B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043774Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:49.737{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69B9666B35E7E72B0DE2A2905E272B8,SHA256=331528C81BE577F79F359E13695CC8E363E5F0AA5EF92260E5FC24B724EE0A88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043773Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:46.848{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51581-false10.0.1.12-8000- 23542300x800000000000000024817Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:50.881{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23258E8C21300E9C9C9BD82832B4A93E,SHA256=9EF08E9E0C1BDDC6E8765576ECD23703CB08CAFF4D50AD8A0D6E8DFCEBEA0961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043778Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:50.771{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F28E2154AF29C5F1B719F2EB06E5905,SHA256=02643385AECEFAD92BE5FCAFBCDFFD14881253E0AAD781AEA443EB308C7E3D74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043777Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:50.290{323FE7D8-022E-6136-0D00-00000000F001}9042288C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043776Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:50.290{323FE7D8-022E-6136-0D00-00000000F001}9042288C:\Windows\system32\svchost.exe{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043775Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:50.290{323FE7D8-022E-6136-0D00-00000000F001}9042288C:\Windows\system32\svchost.exe{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043779Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:51.805{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6A7DB0176795F1C94A66013BA56E85,SHA256=6F63E5F12039D7769B7DBBACA1917FD14D5BE363560926D544ECA9D66E5FDCCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024820Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:51.896{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C771B292127F4002752C3FE1484824,SHA256=5D1691C346F8F252331F6EA2AB8902BB95B8BD8D2D7D33BE1B0A1418B9CAA8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024819Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:51.568{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BADA7853F383D86C355A65703805952F,SHA256=6B1965BCC71C811D3A624F3F9F01C48B94F413416C5BBA3A07C861C0EA6CB9E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024818Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:49.009{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50844-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043780Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:52.835{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D8EF82BABB896A91F77100B61F0678,SHA256=70FF72E75CC5AD274FA50DBE2E1D1CA4B29718B3080632159F6FE37F195266B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024821Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:52.896{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F555550F13DC770C958A4036F2DF2E,SHA256=9BA3CC8C06996545D2BB05C2C9FD75BAF8188F950091D48BCE783148266E3A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043781Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:53.903{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC84FA0C6259C5D87FBF62E8185D7363,SHA256=8D4D6711ADEDBACA7C2957B27ECE8DE77D5304957F5F6DEB66FAAC70405C8629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024822Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:53.912{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F464508913361A027D9A0C18208E8B0,SHA256=EE082615CFCB9DE26CBA80AEFA23C0D702F3FFB41209DE5F9D65FDC3E39ACD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043782Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:54.934{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A48DE880A21437DA45549E0E0ED427E,SHA256=E996A2F470290F73AF549B5B1C123EAE3C3B4F6043F1B2AA119A819ACEA7F9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024824Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:54.959{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A318D3416DECE8F7A4D0F9A3772DE2FF,SHA256=8A651EBA3DB4E41804422AEFE4693D955DDA530D54C5F9764E8C45456E5131A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024823Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:53.065{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-353.attackrange.local50845-false69.16.175.10hwcdn.net80http 23542300x800000000000000043785Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:55.968{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D47E114333F032A2E19EF5179ACF068,SHA256=71E0F1294C97AC69B99FA8E0835F4E262AEC364CCF757CE941ECC8EA9E976DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024825Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:55.959{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AE28AA614270D56F439A9EC113C144,SHA256=205742FA70B6E2F0FBDFA7BD206FEFE2830FA0423F13FD35D29DC1612C55CCCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043784Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:52.840{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51638- 354300x800000000000000043783Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:52.698{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51582-false10.0.1.12-8000- 23542300x800000000000000024827Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:56.959{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD0AC64E5AB185213C83340AB4B61AA,SHA256=5197C627831ECEAA6FD56D4CE0A5FCD1546A066FF8CD98AAF2375A83B36D8277,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043786Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:54.069{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal58734- 354300x800000000000000024826Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:54.931{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024828Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:57.959{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4773F5B8166FCF41CCFAF6283A4AAD,SHA256=30BF04D5A7DEF02B22C3C1E5DC14BDADDEA73C14CB9E62A2C24B58161ACBD0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043787Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:57.001{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F68668773BA7EE51E7C00BC244E5261,SHA256=B43B87A7E92C632CBF9647BEF4DE938396FFBCACCF3C5084DC70A30D0580640B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043788Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:58.016{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C08E3869A439227EEAF12EA4AC96183,SHA256=D3B38624F746F3D17C7E3A07990EEA6AA75902FF0C3E7E8556BB6B29C1C67FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043789Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:59.031{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B188299D59E0F60BA7ABE3F62EDCCB94,SHA256=2F4CB90F9ED78A0213ECB6BDC350D9558DA82F605E733A87FF7F0F8B5CD8D487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024829Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:59.045{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9649278FAEBCE6ADBE2551F1C8FCF6B4,SHA256=738EE5508BAFE068C72907A7B1BBB46A5C1F7E45D34A9E6FE3932411549AE90E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024830Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:00.045{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F774A89CAA6A5874CAD82E9F1983AE,SHA256=4269C6DBB28678481C4EE8F0880886E3094C9B31D49826F5D9DCF7D91B0091B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043791Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:57.710{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51583-false10.0.1.12-8000- 23542300x800000000000000043790Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:00.046{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22898BA185219D7153C4F0A98F963D3,SHA256=AEBDC35B4DFE2BFE451EC678468FC722B3BB643F05883566DA2691D238107E9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024832Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:00.001{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50847-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024831Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:01.077{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50B1E29A924C35750E9EDB47FBF3DE0,SHA256=A4FEA61B5F848BCEB4C897A27038A096EC937F3DC56EB61D26C5B6BEA77FF03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043792Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:01.082{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341AEAF959E36ABEC94018B6F18D0CCE,SHA256=DB6157B3C106105D5E7E053785D3EF82ECC0616EB9FB589C9232B808CE9E8214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024833Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:02.123{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B71593DFF9C72FC52386608F65B9AD8,SHA256=351951EBE8ABDBEE5AA7A34E9889C5DB4D996C29F237AA5DA647E72ABABFD14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043793Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:02.097{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F05F98D018B4B3C450A30EAE17D848,SHA256=E379008B89269912D22F83EF49B10FA5D5A02E4D0A0144DFAF4950001958F0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024834Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:03.139{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119B84A6AAF1E3AEA854B1B07348586D,SHA256=15CFC8DACD0E8CFB030E8F786A25E09E0D9F0D3AB7CF6037D77172ABBC54B40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043794Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:03.112{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A863556C7E11A6F27C5DCDB8AE470B6,SHA256=3D837FCDB6555B5F1DE0B30E35DFD57C883DBD9FBC5380C8FEA8CEB20B5F335F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024835Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:04.155{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B26DF9FD853E0FEC75104E10052CC7D,SHA256=8DD63C80CCB77D1D9595930ADA0FDA109B7280F441F1DB28CBABD544A53D55D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043805Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.611{323FE7D8-1980-6136-BC08-00000000F001}4932364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000043804Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:02.837{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51584-false10.0.1.12-8000- 10341000x800000000000000043803Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1980-6136-BC08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043802Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043801Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043800Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043799Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043798Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1980-6136-BC08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043797Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1980-6136-BC08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043796Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.412{323FE7D8-1980-6136-BC08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043795Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.142{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB95AE3A0ABD0E6B0A31D364187F7DA1,SHA256=5D33043047565845D77F9CD637D45417EF123BEE46E57023A6BE309F51B47D82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043824Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.762{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1981-6136-BE08-00000000F001}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043823Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.760{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043822Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.760{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043821Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.760{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043820Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.759{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043819Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.759{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1981-6136-BE08-00000000F001}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043818Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.759{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1981-6136-BE08-00000000F001}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043817Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.758{323FE7D8-1981-6136-BE08-00000000F001}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043816Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.426{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB50FB5EE8B83691D240C435ED24149,SHA256=349016206128673D0673C9F66BC345E7059582842290AB9A87B76979073128B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043815Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.426{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33120D223A941700840F61A3CAD468BF,SHA256=C91B6F45A47A5EEFC50BB145F9CF16A812A678E564AFC6219600B5A704C7691A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043814Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.164{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D4BAE7DFF7D3F1A076C37D404B6C25,SHA256=126B23D7D9C249E5DE9CA2FAA6584167657C5AE8ABDE116EDBB52F8E456203C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024864Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.985{FFF7FB96-1981-6136-3606-00000000F101}33441120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024863Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1981-6136-3606-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024862Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024861Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024860Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024859Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024858Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024857Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024856Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024855Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024854Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024853Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1981-6136-3606-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024852Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1981-6136-3606-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024851Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.796{FFF7FB96-1981-6136-3606-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024850Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.608{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024849Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.170{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F073FFBB6C39F7231BB14E556EE9F5A5,SHA256=EE2A392CD69568A178693A1BC714AC67F71BC026A5E8BC0E816BE1BB0C7028DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024848Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1981-6136-3506-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024847Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024846Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024845Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024844Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024843Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024842Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024841Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024840Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024839Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024838Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1981-6136-3506-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024837Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1981-6136-3506-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024836Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.124{FFF7FB96-1981-6136-3506-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043813Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1981-6136-BD08-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043812Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043811Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043810Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043809Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043808Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1981-6136-BD08-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043807Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1981-6136-BD08-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043806Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.096{323FE7D8-1981-6136-BD08-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024882Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.439{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000024881Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.033{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000024880Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1982-6136-3706-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024879Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024878Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024877Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024876Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024875Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024874Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024873Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024872Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024871Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024870Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1982-6136-3706-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024869Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1982-6136-3706-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024868Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.468{FFF7FB96-1982-6136-3706-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024867Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.170{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2035A6B44E075FC397BC92508F6F3DE2,SHA256=D891C5C9AC6B832B351F6BE11770FFD4732C0554C03FE864F55514304BD500F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043826Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:06.561{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB50FB5EE8B83691D240C435ED24149,SHA256=349016206128673D0673C9F66BC345E7059582842290AB9A87B76979073128B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043825Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:06.179{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D705C8900C62E9ED2C723E5D96AA2A,SHA256=3AF62350EB242C8D018AEBC945D98D99190036FA56593D6614F344D9AC293D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024866Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.123{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=042E086AF62B4D1EAF80D7027AE45849,SHA256=377E5CAEAA71E5EE87192C9B7C7D261E8319DB9D40DCFCFACF2400E9C1005879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024865Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.123{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA2A1ECEADA3E2200AD7EF0D5786F9CE,SHA256=9F3BA2451A6336944B2750CCD6B8B76628C1C0BE2D648FBB29E7C829CAAE7157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024898Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.545{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=042E086AF62B4D1EAF80D7027AE45849,SHA256=377E5CAEAA71E5EE87192C9B7C7D261E8319DB9D40DCFCFACF2400E9C1005879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024897Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.498{FFF7FB96-1983-6136-3806-00000000F101}32122956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024896Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1983-6136-3806-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024895Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024894Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024893Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024892Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024891Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024890Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024889Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024888Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024887Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024886Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1983-6136-3806-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024885Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1983-6136-3806-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024884Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.359{FFF7FB96-1983-6136-3806-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024883Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.202{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EF2BAF8894F9B97D09D894426A2DE4,SHA256=37D6B4D00DF59473CED4C399513F4125C62D96B9122D4CD800C244DEA9F96CB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043829Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.137{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51585-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000043828Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.136{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51585-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000043827Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:07.194{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AF141716D8E3FAD8C609902A3DE5DE,SHA256=90DBDC1132227CFBB2001BA115471CAA8F99FF3860E895A85BFADE4263313575,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024927Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.858{FFF7FB96-1984-6136-3A06-00000000F101}25643016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024926Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.717{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C353377C59B4831CE928CAFE7F777043,SHA256=21EE2E16B2A8646FDD9127E9B5BB4363673A73B771C2316A666BAB68579D219F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024925Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1984-6136-3A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024924Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024923Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024922Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024921Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024920Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024919Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024918Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024917Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024916Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024915Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1984-6136-3A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024914Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1984-6136-3A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024913Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-1984-6136-3A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043848Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.908{323FE7D8-1984-6136-C008-00000000F001}63161828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043847Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1984-6136-C008-00000000F001}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043846Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043845Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043844Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043843Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043842Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1984-6136-C008-00000000F001}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043841Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1984-6136-C008-00000000F001}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043840Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.740{323FE7D8-1984-6136-C008-00000000F001}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043839Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.293{323FE7D8-1984-6136-BF08-00000000F001}38405384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043838Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.208{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE1E3933AC520BFE7584A1EA5D27B1E,SHA256=67DBEEB051B12455FACCE7B8F6239B8B3FE6F629DFD1BBAC2069B9D6773260B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024912Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.170{FFF7FB96-1984-6136-3906-00000000F101}7001704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024911Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1984-6136-3906-00000000F101}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024910Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024909Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024908Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024907Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024906Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024905Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024904Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024903Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024902Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024901Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1984-6136-3906-00000000F101}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024900Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1984-6136-3906-00000000F101}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024899Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-1984-6136-3906-00000000F101}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043837Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1984-6136-BF08-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043836Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043835Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043834Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043833Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043832Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1984-6136-BF08-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043831Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1984-6136-BF08-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043830Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.078{323FE7D8-1984-6136-BF08-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043859Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.576{323FE7D8-1985-6136-C108-00000000F001}58165032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043858Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1985-6136-C108-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043857Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043856Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043855Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043854Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043853Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1985-6136-C108-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043852Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1985-6136-C108-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043851Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.424{323FE7D8-1985-6136-C108-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043850Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.223{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3274DB0EDAD92A9075247E938CA1D6,SHA256=E25A6BADBDE899B418CDD09D9BB82A5F5D0D229D8BE077FB63CBD37E25F28756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024942Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.393{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-088MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024941Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1985-6136-3B06-00000000F101}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024940Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024939Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024938Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024937Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024936Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024935Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024934Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024933Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024932Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024931Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1985-6136-3B06-00000000F101}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024930Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1985-6136-3B06-00000000F101}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024929Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-1985-6136-3B06-00000000F101}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024928Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.062{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6BF644B31CBDA3FCE772381BBB3DB0E,SHA256=E5C76F2DDB3C07854C366116FF015A093FFE64979316D15F302AF5CC5CA79FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043849Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.092{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57D2B1669CE2BD301C22AE2426A770F9,SHA256=A74A17EFF0D49A3A5D109B0340560C8D37D98C6A4FFEF816A856C06310DADC81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043870Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.649{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51586-false10.0.1.12-8000- 23542300x800000000000000043869Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.423{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FB46BD8DAAEE5F33D2585C26B8BB551,SHA256=CE401264C437BFCE5E8224F59FEE55EAA3D300EC0FA2C982BCC649FD1BC4F4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043868Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.241{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946E8D9ADCD041518562DE13C6F58055,SHA256=BEC1207FD1DE2E613C0EDBC2043FC4FB346D5FAA27CAB951F1377DDA14BB7E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024945Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:10.395{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE2B2328946CD4E6B7E45083D251DB7A,SHA256=AD0FB4AC34E84525B4215D3E8DA77003B9924B3CB1C43B962336F7A3A0442A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024944Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:10.392{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-089MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024943Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:10.219{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F616057449869B61A1AF23C7B659CC15,SHA256=DE530DC5C667DAFB868B836D43F41DE040AE3059AEB1DC4A339FBF04182680C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043867Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1986-6136-C208-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043866Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043865Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043864Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043863Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043862Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1986-6136-C208-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043861Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1986-6136-C208-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043860Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-1986-6136-C208-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024947Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:10.050{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024946Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:11.220{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A624BEC899984849329FC43771E944,SHA256=AE63E9396660E7844F5B68377E6AC86B8E015031169DDCB7786EAB433A9FEE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043871Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:11.257{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9B85047EA67FA21B2EC570FAC61A70,SHA256=A6FAE770A4D779BB65B7A9C736FB156E2DDBCFC1CE5300D4B9CB8DF7C6A636A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043872Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:12.277{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DD34C424717F6DEFCB9E6CDAAFF94A,SHA256=B9B6F2C9280E4240FAA96EA36BB341AF013E9894E1A4CFD7A8A9DB237DEEF40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024948Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:12.236{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D33A11B3FB29BF12744645C9B055014,SHA256=87C996B3F922FA6682BA757C1899B217EBA0A3AA6DEF736890B9305007A3860F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043873Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:13.278{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BEC05CC7D9A182A71CB373F9F4FD1F,SHA256=3821A76CEC8ED64F264D1C67B23E484C4819B597C5FF1BA72E7386BDDDF18484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024949Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:13.251{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD1C5F4D6BC36ED203CE8A918097446,SHA256=211334653BAE8319F4164C7FAE14F1DF1775E251CD20D220F493B27D19AE0E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043874Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:14.294{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F315D77E350D4DBC7DB037ACEE2FC2,SHA256=60A62CE117C87873A884870EA080A0102A5C3E482A57CCBDF9A541DEB3F93C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024950Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:14.251{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012E09E259C258504A162FB12997A1B2,SHA256=304E4AECCC9D5E011BEA2B5038F3F83191FF9BDDD73109C85B3BA3FB5F4C8906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024951Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:15.251{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFF6007FC309B4EB1C84F1389C90517,SHA256=51410FC11F26958EF67EC95813442E5AEAAE791BAEE05BA71E25F83026A67D5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043876Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:13.803{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51587-false10.0.1.12-8000- 23542300x800000000000000043875Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:15.308{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46259948B36ABAFA9083B8DFCF70A08,SHA256=4B59DF78562801E8A85C432A5AD0B584707D785181706F865ADFC61CB881B030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043877Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:16.324{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176E307CCFBD9C44A434A267376F34DC,SHA256=C23CE5F1FE6D177376561E7109243CA40E3B4A3EF6A5647B5CAB7A1546C4CD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024952Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:16.267{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D416D134B7EFCC5D7DA2A20979C524,SHA256=904B5DB31DFCABE4119A1B4C7187D423E880AE4033D9C1901828B75A75E3D84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043878Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:17.340{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440024691999EBED6D19B1ECE7537FC5,SHA256=E57E829365A7FAEEFEDC4CDEAA56DA01F8AC3EA6BBE0E7766A848A888F2A3FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024953Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:17.283{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C08B937EC20DA5FF272DD478F0F9D6,SHA256=B921A5119BBE0A6B500009AA3A1A6AB873824FF85135626845BF87809A498C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043879Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:18.357{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF68ECB59443F43840DD2AAB159DA244,SHA256=CFA3830C452FFE4ACAD01C06501FF158C4A0EB924362EFBBE1D8C82208CB7992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024955Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:18.283{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA3F2A8D461FDFB3251C97D1CBB3EEF,SHA256=2A15036FB4CB73004140EB436B6DA50BCD52CECD5CB6E867A746DC84EA2CA8E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024954Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:16.004{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50851-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024956Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:19.293{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2030572B9FF0441E475A34219FB734,SHA256=BD78F22CC683936C44C8B2265EE01ED13C52D06F3BDA1E21150748FC75B09EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043880Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:19.376{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F977B6AF31FD4927ABFDDAB1D723E4,SHA256=D48DA938631548F3DB8695DB5C46653C4926BCFB9126432060EC5E81AABA506E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024957Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:20.298{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8837E18FC05ABEAC75B412E18935B8A,SHA256=3BC6FF6317A6FA0E6AAAC01072BA1EC1FF1A5983B2AB176DA3FEC7ED37660624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043881Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:20.391{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469EA52818767060CAC6DEA184D5BECA,SHA256=2534C34817A9E6E5271094B033E9F07B02910BFCA47DF58C0E8FBC9B12DA8FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024958Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:21.309{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132BB09B211C8655816D6616EB221B69,SHA256=809FF86DD3DB40DAC5F78FE1B22DD3F91CCD7733BAF88AFF3F251506E94BD11D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043884Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:19.670{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51588-false10.0.1.12-8000- 23542300x800000000000000043883Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:21.392{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED8ECE01BC7595C2C4783DEC5EC3F71,SHA256=59D31973A1017CF2863139835F343A86D279C871D574A42522829B1A86DC5E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043882Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:21.025{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-096MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024959Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:22.309{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70172537A4595D05B9F5FE24E5D81AC,SHA256=BCE66DB5E6D94ECB7907EC16088C4FEC7B4ABD6EDC1CF2858A35673A4BDC7A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043886Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:22.392{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644982BFFD2D54ACDDF5A0AA1DBD4BF6,SHA256=58DD4AAF43B576D80071B1346461D4B7BF5666760957B564EF60214C3D2B931C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043885Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:22.024{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-097MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024960Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:23.324{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C25F055E83F7F966AA55CDED7C943D,SHA256=B92281ED8F65EAC8850362C9274F8CF1B18F8757BA4A603EAFB59EE076069FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043887Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:23.423{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B62AA73FC68158BE06EF3B3E4CE57F,SHA256=8987AA4CF263E7A7CAC28575329426F419D0CED585335E9EBD46C35400C4906E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043888Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:24.457{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBE806F6DF993D91B518AA87FFB0C7E,SHA256=13BD3D00CB90DDA092D6881C661D51C44C3EAABB1FDFA994007D9D637A831BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024962Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:24.340{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE643B15CC98591FADB96034E5063E46,SHA256=99C45A36A2C490F3962A8A671AA5B3A9878012EE75889F6A9799E185A00B70C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024961Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:21.999{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50852-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024963Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:25.356{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE6F98E70D5D418357F35185D2A755D,SHA256=AAF0FF7978AE6C247B50CED2F286E30B28CA1F819119F2B8493FE5EC00486549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043889Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:25.475{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B622B98F0780A079DF188AEED7525886,SHA256=97FB520325E0013D029734D483A7962A2BCB6182A61BD40583F43A132E53FD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024964Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:26.356{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8493F4B93D78485CF42EF9754EE8CE,SHA256=077E66626BAEEE44AEF4183F9E4D7B2CCF0E81EBD7BC11F69AA84F15704116CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043890Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:26.490{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D882FFC6FBC0D88A3CBE1BD5FADF110D,SHA256=85456ADC7F07129CA0F6169F987D1265C2714B8EDAD42B1713BBF986BBD02362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043892Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:27.504{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83ED232A8A6BAB249A82EF7901C99D10,SHA256=2D972D1F3193352B720DEE052ED21E77F50F20D7A5074ADE583E3987F5E9BE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024965Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:27.371{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D326F78CF942952135A481D65637DDE6,SHA256=16B5539FB7EC6826E4F4E536E6823CED3748F038E7B45161DB8E0D96BD39903E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043891Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:24.785{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51589-false10.0.1.12-8000- 23542300x800000000000000043895Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:28.519{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B781B87354E903796343D3BBF9918B,SHA256=34E25552C0D4684C313D8A22080953A5D388816FFB4A7622BA6EBEFB4999017F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024966Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:28.371{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE091B1CF01674F298C049D1B6064B4E,SHA256=EB34BF4FB046A8446759C9A9471C43220C5926F32F49624A0517F8BA29474232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043894Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:28.488{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BFAE9961998D13F4D29896EACED9A72,SHA256=586F0A6C42F50DD55B85DEF5052B3B6372D10212C05DE56FA7366F0A606890F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043893Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:28.488{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F133DF12B8EE5EC619F149266248C0B5,SHA256=63E826F8B047834DEED81C1A3645FC8287C734546EFAF357AE3D80CF97E683C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043896Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:29.553{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DA489047A0C84991EF3C6F260BB6F2,SHA256=2684E0D05302345AA6A6D8ECC8A4B57E4F63B777B91AA432365AC2EA2B7AB9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024968Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:29.371{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5216EE02D84AEE20D3826CA12D130D1,SHA256=ADCE8D84200B7BA21951B8A459079E8CF105C97601D5DF29EB22F7C52E6B2B38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024967Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:27.030{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50853-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024969Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:30.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8586E96D5D7B25E98E1EC756D8F8E232,SHA256=E5C274D3460123FA1AA063C5D40CE486ED5E2262F51586050C93BF5C00DD6AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043898Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:30.586{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09158CC8D81E3B2C4823C4BD9849C88C,SHA256=6C1BE7EA1AD9E3516646DFABB783E94F8D6B368C2E2E58EF8683361E6B05C80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043897Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:30.118{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043899Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:31.617{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F709401ADAB7DDC4EB39F564FCBB6D,SHA256=DD7EBFBD8E0F737A35B645CB367C530D24568C584C96D4B08900052C0E1367D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024970Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:31.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD33FDAE9660011A1C48093D41BEB6D,SHA256=41BB90C6518A0B667E3D7D9E5DF1475D89915DF4E52D9045C64EF1E61DCAE0FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043901Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:32.653{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68587E8C2BD040CC80521C2A84B6E58F,SHA256=6D670E7814F35323E059B0042B58E35636B0501A159DEB0C816370A4470B1478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024971Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:32.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264F73542A6E8BB342E28A9BF4337199,SHA256=3BAA9ADC9408330955C0B6E6986F4E47BE07226970AAB230935315BE03A7C731,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043900Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:29.697{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51590-false10.0.1.12-8089- 10341000x800000000000000043904Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:33.769{323FE7D8-022C-6136-0B00-00000000F001}624812C:\Windows\system32\lsass.exe{323FE7D8-022A-6136-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000043903Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:33.685{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FA119C924D5CAFC695C385EF9991FD,SHA256=9E7CA7F449A6721BE1A09BB583350A0040B25F2AE1E1CB51D30C3B1A10C8FC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024972Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:33.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664C2DC63233D8938D0A2BC8E19D2AFC,SHA256=E1066DAB4017891AFB77BD5598BB9238CBECEDE38E73FDF72C90F358C158A851,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043902Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:30.665{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51591-false10.0.1.12-8000- 23542300x800000000000000043907Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:34.784{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C82AB87BEE153B176860E32796E221CA,SHA256=B707E4B33F2A8C501A4704FC2E572F3327B1B9FBDEB667CAC077BA0EC404B8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043906Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:34.784{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BFAE9961998D13F4D29896EACED9A72,SHA256=586F0A6C42F50DD55B85DEF5052B3B6372D10212C05DE56FA7366F0A606890F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043905Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:34.715{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70027C90F9F30599C8E2124E34E59A8,SHA256=B96FBCC19307565A049CD7CF8FD40D50A03BA589D853E3EAFF8F02F01FBB950B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024974Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:32.108{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50854-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024973Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:34.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E4008AFED6B8495376C19015101567,SHA256=2FD0B285BD5BA0578AADAAAB0645DDDDB2434DAA3A340C5820C646BAAFE15760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043912Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:35.730{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E8E7CC113C75F0023F3D10A4A24142,SHA256=86E489A949409D98EDA6E7853956B43CFF29AE9709CCEAF0C5A97398571DF51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024975Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:35.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D18F0C1BBA7A5BAD477C1D94210820,SHA256=1B4D1EA0DCA3861DDBBDEEAA5BCB2379514666CF980FFCEF37928F78505853C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043911Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:35.515{323FE7D8-022F-6136-1600-00000000F001}13082520C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043910Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:35.515{323FE7D8-022F-6136-1600-00000000F001}13082520C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000043909Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:33.365{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51592-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000043908Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:33.364{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51592-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 23542300x800000000000000043914Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:36.748{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4A8B92D6C772A9BE87EBA09ECFF6DA,SHA256=D297DEE211B3052A84EFD9A9689B979E9BFDA977CDA84E8D3C60A4FE24E0A9D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024976Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:36.403{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBCFE53E9E6782AC89C5670D94F8F90,SHA256=992D15D271BF230E1DC2F890C1F74CEB0E6657E20B4BA612E7AC49517459C620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043913Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:36.183{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B0FADE96BD0EA8FEC5C9547CE1E1FDA2,SHA256=0DA54076230CA6412588D1450BA36D333C5B580BDFC0EE1C76CE773CFAA6B1DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043915Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:37.783{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAA151EC96B5359804C4FA40FE64857,SHA256=3E8853BAE61FDEC8F0AD8894C08049BA1B519C6436169EB2E82515E183A08897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024977Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:37.403{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718FEC9B7FE789A6553BEDF0DBCCEFE0,SHA256=07DEBCF7B470061EFFBAD9EC1334A36DDEABB99FCD9F1091DE533A1AECCEC2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043917Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:38.798{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF216EEEB6117F44AEFF8FEE716B90B,SHA256=F38BA87B76B57A61861C73748E75A9073EC7A69FA7401FA2E258A1642121DB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024978Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:38.418{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB45683759D984E0C345E179620CBCB,SHA256=7CC29910F35671012EC58BBEE21964C807F006668A0159379A9DB3F33706FC07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043916Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:35.693{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51593-false10.0.1.12-8000- 23542300x800000000000000043918Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:39.829{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F0E036CC8A231B049BAF04C2EBC4F9,SHA256=BDAA1AE51F2ECF7FBAD8F1328FA988964D434472C2F0F4CD5ED5493E932A3B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024979Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:39.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E95D47C2595883B7121BF4CEBB4E26,SHA256=F117CBFCCCEFE40933F9A69D6A17E3F9BBD00BA5143BEF775F5CAF7273A3D0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043919Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:40.847{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE2B57955C17DCC9E9395B6E44505EA,SHA256=A15CA6FD281F364C96CAE15F7428BB0D8A2F9B72B01740C6EF18CD287965B1D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024981Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:38.077{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50855-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024980Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:40.501{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389BED404239665566D2CDE3E2C25996,SHA256=6E33C2D65A8EC3863FACC921A3A7AD5163C8770917AA92BE52FDBAC103A121B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043920Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:41.870{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1279DCCB620F44E9005CF031EB8876A8,SHA256=CC95CEE49185A7E14870489DB0F6226E2880B838A52F6964879C29FDA132AA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024982Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:41.517{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3386204EDAB437D779C73B5E0021527,SHA256=21071227AC5F0B37B8D6F6DC5A01D052A007DE2CA94D3C3B25304CE3594CF110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043922Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:42.880{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9924282B14D4306567131B7FD4EE2C0C,SHA256=E6DEF88E0F211AD6AF887FEDABAFF941550FF9C2BD2D2427396CEA0C8E6D3DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024983Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:42.517{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753A057300F03BF39E3E8E05AF5DB13D,SHA256=636F5E5FD35C005B195D0D8A06C23B66494FB2832C923E5DD5FD59A2E52CB99E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043921Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:40.791{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51594-false10.0.1.12-8000- 23542300x800000000000000043923Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:43.895{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF45E7370ABA3501FD74D415367F32EB,SHA256=4849EE7DA108AB0111ECEB4F99978FEB152D2BCF145FD9C6F052E19ED66D0A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024984Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:43.532{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEEB3CBAE5510B061EF8F3A9183FC8C9,SHA256=0D42BB69CD4E60A7058950172726C312F6C2B922A5F991BC77AD26F896D02DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043924Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:44.925{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F590BE19D630AB1B57A1F50346CC054C,SHA256=8D33778B4E1BB7C07B35E7A94772C979A2713C4A75DB7C29908F60DFBA2D9CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024985Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:44.548{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0189704CEDA7F1B86C50D82C2FBA5323,SHA256=B853A9765D4C72BA1747B845A50700E18D090AB5AC7C7AE53103D7C50E5E3A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043927Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:45.944{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C872516D16D34EAC95C8266DE222EB,SHA256=A4C0D71638874A4761F69905176417429083D2B75D242B2F25C09506B2BB276F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024987Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:43.848{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50856-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024986Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:45.595{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CADE99A386C07985817CCC072F36CA,SHA256=9E64C32D6F1E77971C1AF8DA68612B98569EE3597DF3604E5487086EFAC8B38E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043926Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:45.594{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A0AB0DBFE53026B5582930159BBFA26,SHA256=492DF6D1CED0AF675845DE70593204F0F2B3614709F4D58D52DB61CAACB1D2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043925Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:45.594{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C82AB87BEE153B176860E32796E221CA,SHA256=B707E4B33F2A8C501A4704FC2E572F3327B1B9FBDEB667CAC077BA0EC404B8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043928Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:46.993{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F62488CAAF86504FCDE74330C304C93,SHA256=46C89B970BE9E99726CB92245F91DA0CA636171404E5A9055FAC0E1DB673DEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024988Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:46.595{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F067DA319FF5E8771FE38B54D1863DC,SHA256=2B9136BCFCC1417FF41E218C01CF11DC5C77AE2167DE93C777C525A9191DEE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024989Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:47.611{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424F091D8A7C803F0E4559F51ED9F760,SHA256=CBD743E12F9EC39145DC1624156687D4F60CD61CEEC327F6DF5516CA4A0BF453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024990Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:48.626{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13D60749E588BF5B962E477FD2F293B,SHA256=70BEB1CDB6109C8FCDD0D0EC163E4675E7355C5E593141BAE5CC8D8D5A705DDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043930Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:45.835{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51595-false10.0.1.12-8000- 23542300x800000000000000043929Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:48.008{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1E9AFD74DD9A5804BFFD028DD75F62,SHA256=42E39C3C9CE33417C3D8761BAC8B6A51DC1CA7D39CE4B8DD325D0C130EF3BFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024991Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:49.642{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E1FAE1E36184EC832CB5EC41362BC4,SHA256=5E1C7957E4558D69DED8443D9088670FF9B4A26F27E99ADB2B48EFA8EAD1FCED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043931Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:49.009{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B722FAB08D091C7184173A966A27F91,SHA256=4694F5770344A53E9D98E83AC418958932FBA3EED11BA85593EC9AB8DC19DC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024992Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:50.642{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162B0D66379B4D37CB414C052894565D,SHA256=C255BE4640235213C9D930DABC4A0A13527EF6A259AA63AF058B6BD2564E1D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043932Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:50.025{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA398086F29DA0624A6973CB6230D994,SHA256=FBC2C1199EAFAF9516AE3D848C8B6B766E5EA54E21F7014ED97F8714ED6F511D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024995Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:51.642{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBD2464334E2508DEC794557B6A1B2E,SHA256=E0F8B19B435C57C7507BB8B8370023A1B488D38918F86DC90A4904992CF64556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043933Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:51.062{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614FAFFB7DEBB1F8EF4875DF8A4A4C78,SHA256=25453308D1924071CDE148CDA38BABFC6A3D44F4426CC05919957143B5E0B432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024994Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:51.579{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C80F39955F683B34C230D095BE8A7247,SHA256=B3C32290AE954774F16E4AEF9787060B3389AFFA81ED986C43C217317C5BF45A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024993Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:48.910{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50857-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024996Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:52.657{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3729C82D4B17968C4A8F84F9234C09FE,SHA256=0CE0AF5769CE943054F916BBEF23EE41459A506648B4137342E4D775BF1AF4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043934Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:52.077{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CF331F8EE0A15EF19EE6D871270E0E,SHA256=3D66F408F7647DB0F623394C1C8711CE3DE107863372CE86B56DA252833522EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024997Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:53.673{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26739662DB162A664EA99710CF1AA775,SHA256=C782C9ACC1A3CEB3C2383E0E7CA6BCB3E5091E16FA527F5804A0BD2D2DF7D103,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043936Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:51.619{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51596-false10.0.1.12-8000- 23542300x800000000000000043935Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:53.092{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB120DA8BBD82404DA464BFD30F3D168,SHA256=155FBB098F9309ECF58992013C335DCE4AF27BC999A2AB66F2D093EAC8C05715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025003Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:54.736{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604AD792F9033E39F18F2B50100FAF46,SHA256=CD0FA6616DE9E51DB22A40AA6753F93F7572F6C63B2A16ACEE5386CA47D3E8DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043937Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:54.107{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7D382BD49C5AAE2F60BD50EC1D5C86,SHA256=99185B523FE5D0A140A3F898E70029498B908509290444FB6A29BED112DC56EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025002Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:54.673{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=52D02EAECF72729AE97352AC370416B7,SHA256=AE81612F928630C7FAAE21AF26AC58170495730C3317CE4B27B330A0502B434E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025001Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:54.673{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A37D1B11558979738D6CCDE00D8C4923,SHA256=661DAA12838866305827EEB2C1E979B11CEE108D3219B2F1DF5045CAF7BEB5A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025000Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:54.001{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024999Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:54.001{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024998Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:54.001{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025004Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:55.736{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318BCBAA88A9205673D7704E1636132A,SHA256=3DBEFB113EB3D45EB680CF0A6DFC629031E195A5FC4EABB44B68108FF16B9920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043938Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:55.122{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E7D3106F38262FC573EC39A7B9CCD2,SHA256=9B59EEC7E192FD0EAA35DE740F62B8F20CE914B9D13D66A09AC0F95258E9C400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025005Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:56.845{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BF804FACA48E1BA0418FBBA5249A61,SHA256=F1418D5671B7148F3795156BB3D9D81A748F2980A3387D5D374D4EDC61E383B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043939Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:56.139{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0B27389F732CD03BFE35F190E932B9,SHA256=7588178AD2A335F83611F3C2C1F259BE518E980A0D9AB194D8CACD34D7AC2249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025007Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:57.876{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0434842D683D6407F7ED7F6592367A8,SHA256=DAF6FD4EEE1897F2EFE4378C4F76E0EBEDF4A40D6C24F268B5257F30AA935D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043940Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:57.151{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3589D77F9BD931AA490E811F37F6C9ED,SHA256=2D4BCFA233CA573C0316BEFDAB2C872603F780273E3E7B089E1741E2BBAFD149,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025006Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:54.910{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50858-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025008Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:58.941{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83062D08EBF2B02E2DD479DE04FE3FB4,SHA256=A7A65165F16E46F292EECACA69458F14C6F73E9969411652A8F631CE79F8F79E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043941Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:58.166{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A53E9EBC3EDE74CE54A1F8AC1516357,SHA256=7BB3F54FE5C56A845291CEB9B98A4146C96828652FC53FA4E286ADD102308200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025009Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:59.972{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E786D37265734D3735F081BA93E11E30,SHA256=A6196AAF3BAF1C534B3F58F874A6F73DCD9F2DF902B8E808A37A9EF7A635B14A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043943Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:57.639{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51597-false10.0.1.12-8000- 23542300x800000000000000043942Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:59.181{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BA210C777117D96C6BED57C637AA12,SHA256=F354F074734D9DC5064F13BEA7C91DC47BD57C3C310EDACC3E10E62D8FFE7482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043944Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:00.212{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8362B597057823AD9E6405C8B7B52F32,SHA256=D049D6EA1A2CC6BF295D663A4828272C3E4AD77F1B68386CE136B7D5AD013CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025010Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:01.050{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482624DA1491D51AC883AB420EBD7D94,SHA256=832A1FB8C9ADBBCAED596BBEBFA5AA22309CA3006580B96E65BD14E77F240527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043945Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:01.244{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED41279F708B370611D3DBA9BC17FF7,SHA256=F856678743B1A51FBFA5AB52C8D5193542A130F804517C4FCB92EF82F415EFC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025012Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:00.897{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50859-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025011Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:02.128{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB9B7E3CF305C7BD6DD25B393713D92,SHA256=EF78C23800C36B30E66D425E848F691E9A9948D4F15EEAC9B22850BD6628EDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043946Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:02.279{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95AC66547EFC161BD354F71831B0FC3,SHA256=32DD0AC52185E7BF1902CD5F080137CD3B50A857EE7C26B8B0AEB0553040DE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043947Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:03.289{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9D7FF41D060C21DBF6F9A6DDC73569,SHA256=D0259E3A5F99A58CC6DE452DEF1C91F3A7C44A769A18E478EB11F3E30893BBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025013Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:03.160{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7403B835E6CDA6653B64573F982903,SHA256=98A3E871FF4612C5842C9786A41D218885877661C6FD1A1A61D3279C4010D1AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043957Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:02.699{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51598-false10.0.1.12-8000- 10341000x800000000000000043956Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:04.420{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19BC-6136-C308-00000000F001}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043955Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:04.420{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043954Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:04.420{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043953Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:04.420{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043952Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:04.420{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043951Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:04.420{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-19BC-6136-C308-00000000F001}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043950Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:04.420{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19BC-6136-C308-00000000F001}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043949Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:04.420{323FE7D8-19BC-6136-C308-00000000F001}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043948Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:04.304{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D861992EBA7A6E7E1C16E3D48837A8B3,SHA256=A10A6260FE900A9A809B0B6D4DF39FC9ECEE98BA22AE4E37BA646B3686702CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025014Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:04.160{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201AD2C412D6DE3E5B49662B469317C3,SHA256=ECCF4B7213100BBA9730FC05C2362DE753C4B5662A2B1947E11D982F53F88DA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025043Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.785{FFF7FB96-19BD-6136-3D06-00000000F101}40323384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025042Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19BD-6136-3D06-00000000F101}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025041Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025040Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025039Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025038Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025037Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025036Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025035Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025034Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025033Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025032Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-19BD-6136-3D06-00000000F101}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025031Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.644{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19BD-6136-3D06-00000000F101}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025030Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.645{FFF7FB96-19BD-6136-3D06-00000000F101}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025029Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.628{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025028Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.160{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4B7B62C490A86FE385BE014D006CCA,SHA256=FD9FEC55F94C5DBECD3629EB34C3DC914CE5CF360A53CBCC389C7F7C09F38535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043977Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.936{323FE7D8-19BD-6136-C508-00000000F001}17484368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043976Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.774{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19BD-6136-C508-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043975Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.774{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043974Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.774{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043973Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.774{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043972Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.774{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043971Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.774{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-19BD-6136-C508-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043970Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.774{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19BD-6136-C508-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043969Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.774{323FE7D8-19BD-6136-C508-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043968Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.505{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E7779DD3A4EE4D858DE931A4B08A88,SHA256=A4F797011C16650912896A679B87E41ED7460D11195AB33D8F7DBA6F79831017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043967Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.505{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A0AB0DBFE53026B5582930159BBFA26,SHA256=492DF6D1CED0AF675845DE70593204F0F2B3614709F4D58D52DB61CAACB1D2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043966Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.319{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F943FE45E9F706FC6743F0215B2B2167,SHA256=8EC01DB3B1ECDCC7B5D7D785F41191A06E932BAA49967AE04E494B61A47F5905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043965Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.103{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19BD-6136-C408-00000000F001}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043964Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.103{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043963Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.103{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043962Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.103{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043961Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.103{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043960Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.103{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-19BD-6136-C408-00000000F001}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043959Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.103{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19BD-6136-C408-00000000F001}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043958Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.104{323FE7D8-19BD-6136-C408-00000000F001}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025027Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19BD-6136-3C06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025026Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025025Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025024Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025023Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025022Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025021Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025020Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025019Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025018Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025017Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-19BD-6136-3C06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025016Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.128{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19BD-6136-3C06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025015Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.129{FFF7FB96-19BD-6136-3C06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043979Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:06.573{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E7779DD3A4EE4D858DE931A4B08A88,SHA256=A4F797011C16650912896A679B87E41ED7460D11195AB33D8F7DBA6F79831017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043978Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:06.320{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E295FB3BCCEE015C04D4874DB9688FFF,SHA256=B0B89CB665FE98480CDBCF74C4EDEAB134B27D598F07FF3ABE7D8A763C2FFC85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025059Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19BE-6136-3E06-00000000F101}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025058Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025057Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025056Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025055Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025054Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025053Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025052Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025051Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025050Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025049Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-19BE-6136-3E06-00000000F101}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025048Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19BE-6136-3E06-00000000F101}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025047Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.316{FFF7FB96-19BE-6136-3E06-00000000F101}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025046Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.175{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2A5F71FB7207DB4B253E97F0D18790,SHA256=EA964628DB513CBDC4387F80532D517CF5879D9BDECCED655C310122231C19A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025045Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.144{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D381B447C46F67668152F2476087F90C,SHA256=EDC0B8AD2622BED21EEABB22CABB2CC9A67B550E02ECFA3B3E414FDA43B1F089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025044Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.144{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8857280EEAA64C6F5DD6B2B8C8A844D5,SHA256=91AAFE72505138D7BC102DB2036FCA06F8AE6B7A3A1C105C40B8042E38D8ED34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043985Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:07.373{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043984Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:07.373{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043983Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:07.373{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043982Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:07.335{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAAD85BB7EB36FE7AFEC022A2CED245,SHA256=1170DA20C7C5823882F457973E6CC1C3C19C014EF99DAC66C973FFD7186642C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025077Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:06.053{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50861-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000025076Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:05.459{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50860-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000025075Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.519{FFF7FB96-19BF-6136-3F06-00000000F101}36844092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025074Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.425{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D381B447C46F67668152F2476087F90C,SHA256=EDC0B8AD2622BED21EEABB22CABB2CC9A67B550E02ECFA3B3E414FDA43B1F089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025073Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19BF-6136-3F06-00000000F101}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025072Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025071Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025070Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025069Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025068Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025067Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025066Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025065Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025064Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025063Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-19BF-6136-3F06-00000000F101}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025062Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.378{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19BF-6136-3F06-00000000F101}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025061Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.379{FFF7FB96-19BF-6136-3F06-00000000F101}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025060Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:07.191{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AE0E601C75739719560655DA7FD76E,SHA256=3E80FB2B761D4528480214E4B9413D0E700B973437DFEC9526FE451AFECAE57C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043981Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.147{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51599-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000043980Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:05.146{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51599-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000044004Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.989{323FE7D8-19C0-6136-C708-00000000F001}48363828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044003Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.755{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19C0-6136-C708-00000000F001}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044002Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.753{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044001Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.753{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044000Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.752{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043999Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.752{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043998Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.752{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-19C0-6136-C708-00000000F001}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043997Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.752{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19C0-6136-C708-00000000F001}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043996Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.751{323FE7D8-19C0-6136-C708-00000000F001}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043995Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.357{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C424CD7C2B7874890953D6C7FFFA578D,SHA256=DB47315740988097C97E1D758B9CF7F23359D0235C775EF0E9C9E787567E4C12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025106Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.863{FFF7FB96-19C0-6136-4106-00000000F101}992996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025105Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19C0-6136-4106-00000000F101}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025104Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025103Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025102Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025101Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025100Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025099Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025098Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025097Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025096Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025095Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-19C0-6136-4106-00000000F101}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025094Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.722{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19C0-6136-4106-00000000F101}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025093Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.723{FFF7FB96-19C0-6136-4106-00000000F101}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025092Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.347{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391325262F68D5B753A28B1F580EF045,SHA256=3BEA048FC5AA16952C3F339C72B0790BC1F9C3B64E2FAD3FAB247E7FFBDBF061,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025091Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.206{FFF7FB96-19C0-6136-4006-00000000F101}13721296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043994Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.257{323FE7D8-19C0-6136-C608-00000000F001}16762856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043993Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.072{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043992Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.072{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043991Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.072{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19C0-6136-C608-00000000F001}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043990Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.072{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043989Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.072{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043988Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.072{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-19C0-6136-C608-00000000F001}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043987Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.072{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19C0-6136-C608-00000000F001}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043986Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:08.073{323FE7D8-19C0-6136-C608-00000000F001}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025090Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19C0-6136-4006-00000000F101}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025089Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025088Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025087Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025086Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025085Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025084Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025083Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025082Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025081Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025080Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-19C0-6136-4006-00000000F101}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025079Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.050{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19C0-6136-4006-00000000F101}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025078Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:08.051{FFF7FB96-19C0-6136-4006-00000000F101}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044015Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.620{323FE7D8-19C1-6136-C808-00000000F001}41405408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044014Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.420{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19C1-6136-C808-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044013Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.420{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044012Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.420{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044011Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.420{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044010Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.420{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044009Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.420{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-19C1-6136-C808-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044008Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.420{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19C1-6136-C808-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044007Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.421{323FE7D8-19C1-6136-C808-00000000F001}4140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044006Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.373{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BA82DAFDAB20F126884C6145DF7588,SHA256=D69AFAD3E8A416EED59DE4D001EBD1028995D29783AB1AFE38B385655B3B8B77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025121Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19C1-6136-4206-00000000F101}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025120Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025119Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025118Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025117Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025116Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025115Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025114Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025113Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025112Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025111Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-19C1-6136-4206-00000000F101}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025110Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.394{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19C1-6136-4206-00000000F101}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025109Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.395{FFF7FB96-19C1-6136-4206-00000000F101}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025108Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.285{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C9477B131719B628607444D93B9297,SHA256=FE9DDE7F7C0AEF22192ACA26196D85296962B7A7F10B517D30406213439616A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025107Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:09.285{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B143447BF29B8E080CB030862D7A381A,SHA256=B3895F6A81A1C7D0E7004F0928761086296CCE733B642527AD88743B8585EB47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044005Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:09.073{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57CA774C1A494098F21EAF372FC74EB0,SHA256=D25B3EC38F754C6FE8872F3F77DB2F074D0DA3217AC57F4F3DBB15AE0F7B5A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044026Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:10.421{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92725F67BAEFBAAFA2372E2556BCCC81,SHA256=2C6DFD32073C94EAF0E246E684510C25783FFE9BABA622EAAD893A357DEA5E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044025Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:10.390{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33E42C11A3A6A4B0CDFC1E368FACC01,SHA256=292C4519B15A6C1CCDAD4E01E59AEAB2D517C65F8D8112F42920532D714C64EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025124Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:10.913{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-089MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025123Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:10.411{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D26DB67F92C4D0A52883152ED6BE1D,SHA256=C63BBEB905B7C7B14A692D94FEA4A2463986C1E2DE200FE89339AF451509C102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025122Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:10.285{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184F3835EDA74C92AAF26915E296957E,SHA256=43D8D325348A5C614EBDDF29C615F73348EDE9812D7EB1DFE684815370F9796F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044024Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:10.088{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19C2-6136-C908-00000000F001}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044023Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:10.088{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044022Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:10.088{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044021Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:10.088{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-19C2-6136-C908-00000000F001}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044020Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:10.088{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044019Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:10.088{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044018Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:10.088{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19C2-6136-C908-00000000F001}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044017Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:10.089{323FE7D8-19C2-6136-C908-00000000F001}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044016Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:07.797{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51600-false10.0.1.12-8000- 23542300x800000000000000044027Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:11.404{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F7D8433F9ED2C398CDD315EB8BC2B3,SHA256=C7332F3AA10545B61AA906F92418880F31C43DC8EBA654AD25A9FE9D256AA1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025126Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:11.926{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-090MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025125Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:11.300{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCEDF7E6F84AE0839C434E979D2EB96,SHA256=D980B85DD3103A966C4643F5B4873A6390B73E2AC45392C61D468728FC537B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044028Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:12.419{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD04B1B395F47FB3979A748C73FF63C7,SHA256=5C62767A339C490ED097CC88AEE39156D9411B5BA93936F033676A5E36220CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025127Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:12.330{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF0C4387B544B0416BB55D00E515E69,SHA256=34C2F21A8B93E7A4587914A0E187DC7D4E51F8258B6E0ABE4102F070BB0FB22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044029Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:13.452{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8B783140CBEE54C8B9068C9E4EF9F7,SHA256=676F7D958C3D7AB7EA732713D16476BDF1123D26134B3F88818630BA83E1E148,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025129Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:12.098{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50862-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025128Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:13.348{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0196512C33FB098FDFDE670E738ADC,SHA256=AD322782CD429444D60BE157848BC101850B96C7DE668154D6FFDA63FB180837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025130Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:14.364{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323136A60366607364967A68D288AC81,SHA256=34AF45B967A8BEFB27B971494614CEBDAB085FF413274F2C7E6825D4F3202A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044030Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:14.471{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F60D8BB25FCA8335B82C9E4D95289F5,SHA256=4CD342EB1AB3F08E5A22B857DC3F1566550CF5ED1899D576EF6AC20824D05947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044032Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:15.486{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A9E0ED9BE0B1228AA0C30BF63EF018,SHA256=68DC7AAD778B5CB9921B7213E0840506352B13C49A1C7169E41B2E4292D19F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025131Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:15.379{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F00AE41752CFC52EE0F380233DD85F4,SHA256=1101EA66D129CC8AFA1FE54C5F16ED4A8C8FE9D4C6DD685C11D14D82362A429E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044031Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:13.644{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51601-false10.0.1.12-8000- 23542300x800000000000000025132Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:16.395{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CCEE867CA036DA8492A0CC5D35BD70,SHA256=12AE20B91314596D3BAF81D287C1C35C4DB9B58980C985F52E43BDC033E730FF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000044036Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:38:16.532{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000044035Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:38:16.516{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Config SourceDWORD (0x00000001) 13241300x800000000000000044034Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:38:16.516{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CED8D70C-FDB7-4280-B713-3A56B1B8A289.XML 23542300x800000000000000044033Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:16.501{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220E9614D947483527CCD97B338C4DBE,SHA256=85341C5F13B56CF2FCD9ABC53EA13CCAF385A8ACCF0AD84DD5D85984E9F70CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025133Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:17.426{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5D04A7F43E4A0A1902E1FB9F09727F,SHA256=DA3AAEBA084614B5DA8C0D98B8D6B0A292E047B9168E17D27A5792FEABBBAC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044041Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:17.569{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9922126A895780C479C762AA4DC876E,SHA256=D4FE2488B8144B37F5EAE9A9D7279CC7AC8BE8BC89A33526BDF66A4A200FA966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044040Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:17.569{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55CD4ABB61DC73ABFB0DB572F97049AE,SHA256=C7417E9B24D769F090CACB9D3D66EE8A2E0706DD363551A79C2304F90F3C3F13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044039Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:16.112{323FE7D8-022E-6136-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51602-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000044038Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:16.112{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51602-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 23542300x800000000000000044037Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:17.531{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF47953159FF8B48C17553B00D898A3,SHA256=7AA494BF3C81A7CF09F82B602CD406E04D9B39A7E72AE05F55C1DB372061BF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025134Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:18.442{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF82E11703869E1CA328409E69D1D5B,SHA256=DC575B7B4D00DEAE9C842179A98D5B2C6D118E35F0DA5EC878BA1DA87039ED3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044046Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:18.553{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDB121F38F650588A674A42305C4C00,SHA256=E8DA44EF52E69C56B123199725EC9745DC7A7A89E6C2410ABAC7EC5B95B186B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044045Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:16.135{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51604-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000044044Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:16.135{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51604-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000044043Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:16.128{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51603-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000044042Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:16.128{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51603-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000025136Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:17.913{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025135Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:19.446{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342856766A485A37DA8D0ABB0F20CFEF,SHA256=5DCA141E5638ACED41ED4F06DCB044C1211BD5363E574591A9C63CC4E07C5539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044047Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:19.568{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1EAB06B07A9BBAA294249067431E63,SHA256=D8462615B4678FB19435A94F8A635351F9895C928C4347A1DC92D97DCDC3D88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044049Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:20.582{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578F25CD094CF721637C375872E9E0FF,SHA256=90B613BBCDA8BEEB84B8D92035F2A5C7D2CDC53A99CB408CB2381515ABF8563C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025137Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:20.446{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9803DEACDF5CA8689BBCDB8050605E4,SHA256=12B4B228CDD8B341A5EF8213D29CD0E30E0D99546E5AE22B2012149BCC1D57B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044048Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:18.744{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51605-false10.0.1.12-8000- 23542300x800000000000000025138Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:21.461{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B492C5661B72CAC0F58CBC8057DDBB,SHA256=E83214A5FFAB81F347C7BBF0E5430B6FF0FBEE31637CCEEAC29DD1ECC9DB8798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044050Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:21.598{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561F8EC2D2A63FEB68A0F7679EFCC092,SHA256=A21AE08B329AE1C6780B4B1070642F091F0F77FCF113B960840DB13E0C0091F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025139Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:22.461{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE8055244483D95F049D1C2F1246A23,SHA256=8F8CDBF9B298BC6521F11D4D318118DFB4934A2AAEAF7BD51F1178AFC8FD5330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044052Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:22.606{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E848710A23CDABD10DB5EAAA59331252,SHA256=46E64B672FDF6ECA48570ACD193FF5E5013AA1C23B599DC0C9B3330D12AF468D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044051Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:22.547{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-097MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044054Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:23.626{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94F8EB9374B4ECB9518432A8F043D85,SHA256=7679C31D3319DF7B61499341D70CF9AB069DFFDEEA21157A0B82F6F0B37A4B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025140Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:23.461{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613FF72799C0E8C1724DF8C9C2491131,SHA256=F540104DB6CAAFE046B10254BCC2C96B53438326C961E0B8A6F86E3FC04E2052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044053Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:23.566{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-098MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044055Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:24.628{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CDA1210466215F339819B1DF22DF0D,SHA256=3E685A497AD099A0B60086EC90BD2477347276EC39A753832AF4AE578C207D48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025142Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:22.980{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50864-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025141Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:24.477{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBF5D7C4FA5CBC4729335EF6FCDFEDD,SHA256=CB6815C6040A1DA5D82795FD481854F7F4B535D687D1E548C1DB11B36B9A3CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044056Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:25.680{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F3D096DE72CD10065159DD4318B403,SHA256=5A9D6F41B72331A9B74E9958D52408D017EA7FD26BC675E8402AF37AFB1B7384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025143Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:25.493{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127AED1E7D202EA225F68635BC1AFBFC,SHA256=69767DE28FB5424F5F58B4ADC4F8627E7CE61B8FAD5A8566108172E3867D4634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025144Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:26.524{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F5BC0E88AB7D30E6C0AA801B031A58,SHA256=C4E83C83F5A0ECC0DD0F6DB645A44FBB592638B7556E709877E7D13CDE682B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044058Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:26.695{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9A27BC1A5F58DE3F4FECD3809D0F2C,SHA256=E91CB1C628163701FBFEAC7E3909BAE4B85D94FC0686D8885A0CC3BF019E6271,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044057Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:23.841{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51606-false10.0.1.12-8000- 23542300x800000000000000025145Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:27.540{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE5E57E1F011A0F3FC5D53435C01411,SHA256=AD66B4B17657DEDB65FC96358D56B29C8A4A0060B540BDEDB1D5643E5A0F8E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044059Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:27.726{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E5C80AF54F83A642CDF82218F339DD,SHA256=468D17BAD69F83DCE2064E634D18227E72EB399DFC7ADA387CAA6C2D76D148DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044060Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:28.744{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B77F074EC7918301F6D580189433EE,SHA256=1D67F7F9E8D80B4270A7F76C46BE12ED384ABAEB195CE11321B37759FC77E68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025146Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:28.540{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8FA81516DE23C54028BCA10F8E8835B,SHA256=EC7AE944B0A1AACED5BB113026FE6763F8866D42ECE68D3B8071EC6662D815D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044061Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:29.746{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864B709FFC1111DD2D96FE45177B9E25,SHA256=6A57869D957614869E0A8D4EB93F72D461D3B83790B3ACE53A856F2C8903C9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025147Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:29.586{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F469FE73B953AEF3AAA097844DDEDE12,SHA256=2FD1F24400237F5BE2CC0E0BDC7346922490950AEF34FC5CF54DAF85DB74839E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044064Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:30.776{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB738BE57B2090B9FBE1B117B74522C,SHA256=8E036C4FACA27109ECCEB75A6617B702BCA92FEAB21996DBD0802478D6BE0829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025149Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:30.602{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6118D741FABB4CA8649DF19D23F729C7,SHA256=4C6BA22422772799569A3FBE15E182550A0A3830B28DED3039B38AAE03331EC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044063Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:28.856{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51607-false10.0.1.12-8000- 23542300x800000000000000044062Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:30.144{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025148Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:28.011{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50865-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025150Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:31.602{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B0F823FF0BCFFD71ABC9FE6017CD8C,SHA256=F27354DF87569F962183710930402027D450967B5D2338278F73184BEE671BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044066Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:31.792{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CED2B728405D8D960B44E4FAD39300B,SHA256=75527539E604C4941E9C4F242D2EAA79F9AA9245F5D30491F1ADBADD9807F956,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044065Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:29.718{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51608-false10.0.1.12-8089- 23542300x800000000000000044067Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:32.807{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05201E3E9DB4968ECBC9F809B4C15FD4,SHA256=0D41A46B94011FECB180EF06A2886DF40C8C2DBE58F03EE4578AF8DACA388D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025151Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:32.633{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAE5459099F39DFA61561A6FBE97406,SHA256=362E047D5EAD99B18BC15C133DB1B387372FA0763D0CCE07A1EFADB37E51A6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044068Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:33.822{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC8DC530057FF41059B99692E3D5705,SHA256=3D1D4A033C517CFCE81970EF286E854C6EA6B0E3BB4D1ABEB0039AA74748EAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025152Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:33.649{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8697518F4198385BE73CAA3A114F2FBD,SHA256=7FCBAFEB6D32512FC3117284F08593EBB5D0F9B62A089590BED3E85F3F07CA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044069Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:34.839{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5636D385CFBB360C26DC9EE72FA5B1,SHA256=C7B4A82D61D6E0B119CAD83AE0937634CB04248048D4816F9D1DB7CD9F1E0F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025153Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:34.665{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231289A4EFC8B6CF342E5E84C13654D0,SHA256=A9B275B1894AFEAEC57AA97F14BF5B2D380DE6E03E9EC22189134A8B5F1BA710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044070Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:35.858{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C50E735903F42B5DE1CCD6540B7D94,SHA256=A171C07238DB8769E97CF40563FB5DAF23370C28E2B3C326C7C841B2B2A10D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025155Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:35.696{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1397372EC61A4B7EA7B1B86CD97AE08D,SHA256=74469AE5E28101B866FF525428FD011554E06B4D45E783769621A2AFEBBDB670,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025154Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:33.058{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50866-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044072Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:36.873{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F13DA49110A2C756398DD85D751A7BF,SHA256=BFD38F2C3D05E8B0C3E99EB31347ED78201AC85F1938D413C8993A06917E98ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025156Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:36.696{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8E0254E47F8EB4C1587A77E039D54D,SHA256=F5C98483C72092116098B46C1CB340090A9273750B803BAB0480885D1958AF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044071Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:36.189{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9E31A95769286B929C70B1C3E95C18C4,SHA256=C0A93949A36C98794B683AB71525E5D1B6FF3054AE483BF7D0255349D71BE505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044074Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:37.888{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56980966A7C52B41F31D40566F66DE3,SHA256=09314021A582BA5B6DDB868C7BF14F955B2A3E3A6A9321E3C883BAD1255E193E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025157Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:37.711{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71339CEE5F4CF5DF2F6DDCDC6EF831E5,SHA256=67BD7233240ED6672CE530B93BCA3FD200CF23DFE2AB73DD2123EE6BF9923D19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044073Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:34.834{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51609-false10.0.1.12-8000- 23542300x800000000000000044075Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:38.903{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D848086D2A6F1DD455C92EAFA80B7DB,SHA256=7F6C3879DEFFA37A9AFC0A91036AC0E163CF9193F170D4EE8D2C7AA9D65C7102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025158Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:38.726{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2126968C6BD35014200FB7DA8C25836,SHA256=B748E682BC752304B9CC6CE5C27D51DCE63F2825FEA1538C949A45C088A2FFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044076Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:39.918{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDF07D94A7FA884084421DE6154FB16,SHA256=8C1FE8A822E8DB4AAAD4721D0274C93B88A7E428C76DA00CEC79F49B8AD1C788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025159Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:39.742{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4DDB75D3731F5A5160F18AAF3D85AD,SHA256=6EB3DB10AA53D5BB73F4C271F0EE670C3C95358E0E940A78690F83E161022766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044077Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:40.935{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8105EB632EB97D623E6759ED2A08FD8F,SHA256=E35D2D9E164E2A08392EE277DAF76ED9382AA194E6B61541281C6FFF4634EFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025161Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:40.757{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C116832FA43B28BA1C4BD8A21341558,SHA256=87B29EB1B99D07D54C9BA60FF478438ECBE86CBE41D97639DFA4CAA8EECDE7D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025160Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:38.948{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50867-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044078Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:41.954{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5514BBE25A50C639B8B03058564E6BDE,SHA256=6147563EFE43F52D0644AB003F05EA9A2422FFAEFCFA9B8B0D58C213CB11BC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025162Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:41.773{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E39F3E85037013C62BD1B70D80913C8,SHA256=CAC30A0AC5D7436355CF306715BE2B9B05EC05D659D8737107B66898E69BCB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044080Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:42.969{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ED8DF49F342E825D22F6EC41B84D69,SHA256=14948FDE0CA2F5F826C93E1BF146F0EDC80289B0C33CF65CDEDD2A2548787F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025163Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:42.788{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D581506E12FC6DDCDFC853891571CA80,SHA256=FD16BBD026EF63FFC00F751E17336FBDD6D8DD4882C0B8A0727594C2DE0529F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044079Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:40.764{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51610-false10.0.1.12-8000- 23542300x800000000000000025164Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:43.788{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F0EA74EB1F29A19D56C61E068B28AF,SHA256=55EACA2DD7E7D7AB8A85AB5A142C6A3A65F6F9E93C4A824D0DD06A3A6004540D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025165Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:44.835{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDFB8CC9737B70A6D8586C62F6EB756,SHA256=E31A039AA4F84F5576CCACFF5533D3BA5CC5E6DB22141F38342C6525F670B7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044081Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:44.000{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF81515D1C8D36A91C81246DB76219E7,SHA256=18484EC6801DB2F77F05206DF8A53B3FDCD9FE84871FF816463B6D3A1735956C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025166Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:45.867{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F47C1E059B1DB3CFB7AB3EF4754796F,SHA256=B5CE81128429D884E30EECA1176C2DD672C12806CEAAB5E21EA475861BBFCCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044082Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:45.015{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746E285FB1A980FB2D9EE0F4CC0A2D36,SHA256=CD2CCC6AFCEDCFD5A3EC75010AC92F9D8FE017B6515AF71524C0128DBC7324E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025168Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:46.882{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8EA9B2F859C94E461051A1617F5885,SHA256=582F159709D313558A37008EBA0C2E1182B26AF40983C0A0C995891DF6524CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044083Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:46.032{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7D6ACE929903FD22D4878BCE36D037,SHA256=46B89575B08BE2B3A51834F9B63CB83094FEA46C425DE34ECEB167C3EA2F56B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025167Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:44.979{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50868-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025169Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:47.913{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8D90B4770A85B0B4EB4EE215A99DC8,SHA256=EB0C8D585C94386462E8C90914B6A4A3999605D3BF326ABF504A7E1D8F7A7642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044084Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:47.066{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3BA041D26A77C91DD0316B646C8317,SHA256=A77B3C8704D84B5DCE699A1DCD71E4FE4451E58AFB70AC81FBD4E845AFA25173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025170Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:48.929{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5175CF69FF73F61765A1335AD26E3857,SHA256=EF8F3FB906AAA8B8F7D9AEFA6C081A682D757BA300E03524386618898EA6E095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044085Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:48.081{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567663D60E5E8169ECD0EBE468BB8A96,SHA256=844CBBE5D291DB89FD77D4E44FD79FFF6C13AA42E9C298804706416C09F893E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025171Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:49.945{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6125C7B84107159628E929EAFB25498A,SHA256=BC60858684D4B0CD156AAF7538F91577D6AC54BB4E056F8B1B5E0C1546C1E7EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044087Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:46.707{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51611-false10.0.1.12-8000- 23542300x800000000000000044086Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:49.099{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2F004A077E32A1776B834BEFA7E7CD,SHA256=13760D34E5C84480D40E6615E16BDB07454604410B7F5A8E6AC21CD370C3B602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025172Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:50.960{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D857755BB5B6A60D771E98C739E3E61E,SHA256=2BC0C09FFA3833907FDAE224AEC3A1E2B9C6B18E273DEE99BBA89404D82C2129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044088Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:50.100{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A1FE01E12B071F9E08FBCC7542044A,SHA256=03B602D74C9CBFBDBFEC466B8EF3E2A513EA7A4E8201C113BB386B4BF47A23C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025175Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:51.960{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097DABFBA3691C0A3422FF734A02E75A,SHA256=50775B5370F1AC5D9236765AF7EAB52E5A73160190E2E596B5BAF80C64F020D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044089Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:51.115{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C90D30567212420CF116D195E2D5E6,SHA256=B66B7AB844AFC5BDC035E2EF90A826A1D3D079771494C4DEE79FC5C01307ED81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025174Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:49.979{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025173Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:51.585{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1004F04FD8AD340D904B5D801DAAF5B3,SHA256=69E4906CBE9039A7332B4E01C7425DD1D02891B16878518452CB29E5956A60E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025176Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:52.960{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711CF3BEC7DC2C55A988A1775251FF93,SHA256=B418CC669E4B922474C28BA5645422F20A9AB174B6CBD44D561AF5585EC4D027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044090Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:52.132{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFD2F3F255ECFC7EFDDC9DD043B89A9,SHA256=0223E3AB338382B587A8A1BE052564B5A175FBA700B9F072EB230CCC206D28A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025177Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:53.960{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D601610C6BD6C2BD147E5EE9E2ABCB,SHA256=740E1C18C334F7897C3F93CACD29DF966038923B17A04FAB3273AEC3E9DF168A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044091Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:53.167{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D364442036CFE769070099C10FE6BC8,SHA256=75E4A70DF97C84FA6A7427028CC834DCFE3C118C0BEB10E0A26E54A29F966847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025178Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:54.976{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357BEDD03ED7947DB842A0DD4B1E6210,SHA256=9152F4DC9BDB278D4759DDFB4B4BCDCE82DEBA379831EB2A28D6F7B9CF94682D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044093Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:54.197{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2F9D44A304D224CC657CE456012149,SHA256=6FBBD813D15673BC9016E767E2CAC922169BFA5A5B2F13102EE1F3FAA693F1BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044092Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:51.808{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51612-false10.0.1.12-8000- 23542300x800000000000000044094Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:55.199{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F094AC9D2B1AD88D4D59D0F1BD4A83,SHA256=B30614BB86C741C7EB8D102C117B8D9506AE9590836B7E255A636E30F45766D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025179Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:56.007{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E13693CEA2981F8B9B7902BE970F03,SHA256=329CEA9D5A6A5F137FA037904AC4B80D7D4E582251D0D831F6B4C69FE36BDE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044095Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:56.214{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE34057F19759214DD8843CCFB20D23,SHA256=5B8AC391A482384356713874CEB4D4591B9B6F27BE252AD8B6A8A2F73436A9FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025181Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:55.948{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50870-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025180Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:57.038{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CBD8BCBEB15998E9FB17CA0282CCAF,SHA256=EFE2CD20A900DC95FA247372AFBD12D6FA309F00273541F25C9ECBDCBDAB180D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044096Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:57.215{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBE967CEC2E141BC7EA14B3FB50DEB4,SHA256=10EEAA62F9666D6825F9FA3B0D42D0BD5C45C10690505E3AAEFA74A8A18424D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044097Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:58.232{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B6C98C320170A8A4211E4AB0394C00,SHA256=9C957E9468D446B3A7E757137AEA23E0CF3CB9E23FE656A904E1F2685CAA3811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025182Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:58.039{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC3E008EA1A84F73C3E8D8BF34A70D9,SHA256=87C5B2F35195D6BB64D57928F0CE52DEB9050F9F349B12A1D393C7C74A57705B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044098Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:59.266{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5372AAD08E690278E45384BE358E32DC,SHA256=81DD26525A981E8A7918B1FFB8A04323584D35ACED1A0D446846029CCDDE23A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025183Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:38:59.040{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941FB1F4AB649507B10DEF5E739C473F,SHA256=9C2E99348B3826AFD08CAA45972C4BDB51430BBB4084F97A821E9645AF708F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025184Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:00.055{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B88C5403F74FBC2E9C44EAA2756A47,SHA256=CDF4C227FB1901D0F4E2E65F38C9ECE629B3CBA1E66C6E44FC31DFD904057FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044100Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:00.281{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCE31A98AA529FAE7A00649575AC15A,SHA256=0CD587DE3FFEBCD380118FB4BDCC53034A4E08069CD08EADF71889D3A046C69A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044099Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:38:57.808{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51613-false10.0.1.12-8000- 23542300x800000000000000025185Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:01.055{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A14E7ECB79D139294E90E35E10A1138,SHA256=8AE601EB4DF441FBC700135EC8CDE612891C6A7E917CCE049C281A63C488F07E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044101Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:01.296{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E8F0E5FFB7C77AFBD5D8C69E6D0DFE,SHA256=EBF65B6A9D940776022E2B0DD601AAF510CDF30A1B06162664BCBE44D8E80389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044102Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:02.311{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BDFEAC71A45821B04880BAA9B026D6,SHA256=BD5A35B1BF5BB2A983F337DCD3332F1AF506AA3BEA2B26A94934D9FD9B698173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025186Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:02.055{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F407489986D66886562F9A9842FAAA36,SHA256=5E83D435E51D8F3E68CF03B9BCCAC9D02FEDF4D325D3FD6AE9BF1E80C7DF7B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044105Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:03.947{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1182936DAC3C905632D409545A6CE5AF,SHA256=B10E4A104824FC69A4EA61D2027809D6AF65731D32E2733470718A823329C1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044104Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:03.947{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4ABAA3306D4472EF769A126A2A8A97B6,SHA256=3A16BC7B0EC9B9AF12BC54C1AAF6C5C4436E797F437BD50ECF9264B0F1233FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044103Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:03.329{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133A766DB0F82D27C40D93236945269B,SHA256=18C6FD09F11C69F1675752D9787E02B121C91F2387104E7746A612BEF0992D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025187Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:03.055{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B5146B05C0C23DA2EDDF0F6D7BEB77,SHA256=2AB2363C668A5D54870FCCBBBF8F64685B4DB23E81D32E2BE8DF0F922A1C0FF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044114Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:04.431{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19F8-6136-CA08-00000000F001}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044113Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:04.428{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044112Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:04.428{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044111Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:04.428{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044110Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:04.428{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044109Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:04.428{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-19F8-6136-CA08-00000000F001}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044108Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:04.427{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19F8-6136-CA08-00000000F001}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044107Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:04.426{323FE7D8-19F8-6136-CA08-00000000F001}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044106Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:04.363{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55EC9EC895EA13BEBD37E8A1440D0D74,SHA256=1A3C3D59E2E57184CD4835BD8AC4CA11DBAD0DE2E31E50DC8E7C12667DCCFA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025189Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:04.071{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA8BA1A5A176E68B4EC42123567F952,SHA256=853131287F71D39A7455AD88EE300BA81AAA1DF4343BC20E82D0BFC0519F35F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025188Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:01.886{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50871-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000044134Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.678{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19F9-6136-CC08-00000000F001}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044133Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.678{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044132Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.678{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044131Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.678{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044130Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.678{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044129Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.678{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-19F9-6136-CC08-00000000F001}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044128Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.678{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19F9-6136-CC08-00000000F001}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044127Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.680{323FE7D8-19F9-6136-CC08-00000000F001}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044126Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.463{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=336FC13A5539EE5F872243FF73ED2AC5,SHA256=DD8624772D672437A4049FF4C4543DD935DFE718D08189BCF4CC9EBE97738721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044125Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.463{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9922126A895780C479C762AA4DC876E,SHA256=D4FE2488B8144B37F5EAE9A9D7279CC7AC8BE8BC89A33526BDF66A4A200FA966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044124Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.378{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86527B6A119A43BDAF253935AB86536,SHA256=3F617BA48A45DBA437EBB94C72DA1AB38AC424AEA0B14A562875379AAD2D6419,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025217Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19F9-6136-4406-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025216Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025215Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025214Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025213Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025212Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025211Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025210Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025209Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025208Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025207Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-19F9-6136-4406-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025206Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.805{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19F9-6136-4406-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025205Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.806{FFF7FB96-19F9-6136-4406-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025204Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.649{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025203Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19F9-6136-4306-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025202Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025201Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025200Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025199Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025198Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025197Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025196Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025195Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025194Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025193Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-19F9-6136-4306-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025192Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.133{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19F9-6136-4306-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025191Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.134{FFF7FB96-19F9-6136-4306-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025190Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.086{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA458ACFFFC48AB56195D327D660D4EF,SHA256=60A81A7750079698A8639E5E5B1208B6F741350E20A1E596BB4FB9846046C87B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044123Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.347{323FE7D8-19F9-6136-CB08-00000000F001}20964024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044122Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.110{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19F9-6136-CB08-00000000F001}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044121Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.110{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044120Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.110{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044119Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.110{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044118Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.110{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044117Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.110{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-19F9-6136-CB08-00000000F001}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044116Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.110{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19F9-6136-CB08-00000000F001}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044115Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.111{323FE7D8-19F9-6136-CB08-00000000F001}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044137Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:06.563{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=336FC13A5539EE5F872243FF73ED2AC5,SHA256=DD8624772D672437A4049FF4C4543DD935DFE718D08189BCF4CC9EBE97738721,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044136Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:03.803{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51614-false10.0.1.12-8000- 23542300x800000000000000044135Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:06.409{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276C863960A028CD747E663699CFC8F0,SHA256=AFBDA88EDDD46D5A99B3E3F464D650730D34614DA9C91E11554DA1BFEB52A5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025234Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.602{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD07E7B56BB7961790A1258D7887C9B1,SHA256=57BB0D497180B73482C575E87B25EEEC49B7F653209D1260E968B32AF8CE00C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025233Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.602{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0619863F85EF8A8BD6141E608A1F8F30,SHA256=D691EE37C4523048B187BD780AD14D69A7452C0BA1D74F852EA0D9066DD16649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025232Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.602{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=225401A707EDF600FF161863B2DB2663,SHA256=055C57BE7FF71F05B8CAD8CCF67CFA2455848BF502AA39B1438D6EE466346B65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025231Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19FA-6136-4506-00000000F101}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025230Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025229Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025228Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025227Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025226Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025225Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025224Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025223Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025222Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025221Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-19FA-6136-4506-00000000F101}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025220Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.477{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19FA-6136-4506-00000000F101}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025219Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:06.478{FFF7FB96-19FA-6136-4506-00000000F101}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025218Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.993{FFF7FB96-19F9-6136-4406-00000000F101}676516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025250Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.743{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C09C1FC056545FAF44E4C365357788E,SHA256=EE99673CEAF67356925DBDE6641D3FDEC770D28F467CD075444112F82CB14EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025249Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.743{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD07E7B56BB7961790A1258D7887C9B1,SHA256=57BB0D497180B73482C575E87B25EEEC49B7F653209D1260E968B32AF8CE00C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025248Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.539{FFF7FB96-19FB-6136-4606-00000000F101}37723228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044148Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:07.946{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19FB-6136-CD08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044147Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:07.946{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044146Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:07.946{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044145Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:07.946{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044144Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:07.946{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044143Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:07.946{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-19FB-6136-CD08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044142Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:07.946{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19FB-6136-CD08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044141Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:07.947{323FE7D8-19FB-6136-CD08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044140Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.157{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51615-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000044139Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:05.157{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51615-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000044138Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:07.427{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0998FDEBD0A336C93E3CA7BE2CC301A0,SHA256=E52E557B96EA1F9BA688C764E6F5155B738534CD09529711151EFD7A1074F6BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025247Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19FB-6136-4606-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025246Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025245Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025244Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025243Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025242Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025241Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025240Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025239Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025238Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025237Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-19FB-6136-4606-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025236Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.383{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19FB-6136-4606-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025235Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.384{FFF7FB96-19FB-6136-4606-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025280Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.852{FFF7FB96-19FC-6136-4806-00000000F101}16283268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025279Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19FC-6136-4806-00000000F101}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025278Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025277Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025276Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025275Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025274Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025273Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025272Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025271Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025270Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025269Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-19FC-6136-4806-00000000F101}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025268Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.727{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19FC-6136-4806-00000000F101}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025267Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.728{FFF7FB96-19FC-6136-4806-00000000F101}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025266Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.540{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D941E753AD22CD8E9008F53BABEB3D,SHA256=F4807CAE721EF6510BE9A29F54C22535E13C459543C017DB341FF25F9F5E744D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044160Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.947{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32D8321B6F508F5F2B371451840B39D4,SHA256=BF3672A3839B441712ECB62B0E52D82A92872365D1AF1E4C8289AC7A313368BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044159Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.730{323FE7D8-19FC-6136-CE08-00000000F001}4624696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044158Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.562{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19FC-6136-CE08-00000000F001}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044157Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.562{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044156Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.562{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044155Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.562{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044154Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.562{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044153Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.562{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-19FC-6136-CE08-00000000F001}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044152Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.562{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19FC-6136-CE08-00000000F001}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044151Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.563{323FE7D8-19FC-6136-CE08-00000000F001}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044150Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.446{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6FD9913EA57FD08E791CE9F119FEF76,SHA256=FFC1F6E542B85231A48E5E8CBD577711E3C7512B57BFBFB6366E7010E0597F27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025265Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.196{FFF7FB96-19FC-6136-4706-00000000F101}3844720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000025264Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:05.480{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000025263Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19FC-6136-4706-00000000F101}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025262Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025261Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025260Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025259Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025258Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025257Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025256Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025255Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025254Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025253Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-19FC-6136-4706-00000000F101}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025252Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.055{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19FC-6136-4706-00000000F101}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025251Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:08.056{FFF7FB96-19FC-6136-4706-00000000F101}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044149Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:08.131{323FE7D8-19FB-6136-CD08-00000000F001}49325280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025295Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.758{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FF340CD1524EDE69A5CA3C3A7ACCA9,SHA256=F74BDB05011F48C1F2F59E4C62D3D8B4F6C0FC1A3401B5DB78D0B05C79E7D632,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044178Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.847{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19FD-6136-D008-00000000F001}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044177Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.847{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044176Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.847{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044175Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.847{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044174Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.847{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044173Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.847{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-19FD-6136-D008-00000000F001}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044172Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.847{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19FD-6136-D008-00000000F001}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044171Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.848{323FE7D8-19FD-6136-D008-00000000F001}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044170Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.462{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF435BC49CADBEC218104FA04D4831C,SHA256=DA2A168944A015318BF4F7E16BB5EEEF67073C1B12DD46430EB052C446CD794A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025294Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-19FD-6136-4906-00000000F101}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025293Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025292Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025291Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025290Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025289Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025288Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025287Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025286Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025285Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025284Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-19FD-6136-4906-00000000F101}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025283Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.399{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-19FD-6136-4906-00000000F101}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025282Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.400{FFF7FB96-19FD-6136-4906-00000000F101}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025281Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:09.102{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4860454B15726DC33036F87A1D2FEADA,SHA256=48609FEDC63C2FD21ECC3E2AC5E589ECF2F0C2A2E66056369093A9D3362BC213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044169Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.331{323FE7D8-19FD-6136-CF08-00000000F001}62405792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044168Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.162{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-19FD-6136-CF08-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044167Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.162{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044166Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.162{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044165Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.162{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044164Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.162{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044163Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.162{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-19FD-6136-CF08-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044162Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.162{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-19FD-6136-CF08-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044161Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.163{323FE7D8-19FD-6136-CF08-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025298Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:10.993{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DB592F0DAE85FDAFE615D94FE300EA,SHA256=24472894D1A9BD3674BE52AC3A84D3AB54CAD7B0712F39225D104EB5B68232FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044180Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:10.462{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2061B21F00E9DE7841638F1C3FB96B,SHA256=9E9A3C874717E7D4F044E4416BA621F8D2638A9EBAB58DBFD6EFDC2FE4464DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025297Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:10.633{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B96927AA869F0725772E65FDF427590,SHA256=31355AAAD46BFBBCD1919257893BD984581A23AB58174047C6D00D7883A4CEFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025296Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:07.933{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50873-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044179Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:10.163{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67AD5B53D6D849ABE49434D0A758F481,SHA256=EE3CF92D44BD93BEBFC9DDCC6596F9B6C3189806AE56E5BB892A66ED798FDF29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025299Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:11.994{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73E65CA1E8740D9C51F614428E81E99,SHA256=729DDD473202D06AD2989A75C33A8250554A96813560545844CD6F1D3BA173CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044220Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.777{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D85F953A4AF8B40A7BE22B861A01234,SHA256=21100488692A4160418A042E52E2DF94EE4F5333F931AFF81786A818EB920C5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044219Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044218Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044217Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044216Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044215Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044214Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044213Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044212Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044211Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044210Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044209Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044208Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044207Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044206Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044205Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044204Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044203Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044202Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044201Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044200Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044199Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044198Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044197Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044196Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044195Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044194Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044193Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044192Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044191Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044190Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044189Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044188Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044187Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044186Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044185Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044184Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044183Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044182Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044181Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:11.293{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044222Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:12.792{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA30782417A4F8D8844E5D031052FBCA,SHA256=94B1DCA486FA86FAD9B78F26964E4C31C5699148570147D6424D41D542686180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025300Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:12.453{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-090MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044221Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:09.703{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51616-false10.0.1.12-8000- 23542300x800000000000000044223Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:13.808{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C13CAE8E00815459DBECA9C9BB895C,SHA256=94B11BC495C857B3A47AA08B364A427BBE0D0CC8D886BC313759DBF609154978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025302Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:13.450{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-091MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025301Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:13.012{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F174CFB2388B8A3E0FA61D1E292A2C0,SHA256=0B889909D53D46D30F34FC7DE50F317B0BA75003154A52733C7940E33B708FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044224Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:14.824{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57560F2BCB7B5C6E68713B72DEB55644,SHA256=55B26FB585C0E1B994A7E36F4918B78FAF4D5E56E029B0A2DCBF9ACF964F5465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025303Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:14.028{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972F0BA416224E20BDE17C62EA538395,SHA256=C329672516054C4D76CCB3F94F5FE617AF9A2C71D84B4C05C52A4008B047933C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044225Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:15.843{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD15DE83CCA48CB988D8E048E0E23A55,SHA256=C177C7949123E49FF78BF8A949AE6876818659CA515993E5A44EB3F09B0EDAEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025305Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:12.952{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50874-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025304Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:15.043{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3294E0DF896C7860994EF633A0890267,SHA256=EC8FFBBF553D1B8F836641DCDBB4BCB86DD8F6B165A14E73B7467D2FDAD60466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044227Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:16.858{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA033896D5F5C7817C4AACE114C65A6,SHA256=E409FCF9262902B8D0A569C913270EAC51E8E37B1EEB67DD41452A7AD55F8F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025306Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:16.090{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE9DF86300B930DF6132F7CC1B61FCE,SHA256=265AF717691B4530269310412B6A5651DBF6DBA8D0B16616B794B324781A0AA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044226Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:14.715{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51617-false10.0.1.12-8000- 23542300x800000000000000044228Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:17.873{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD88FCCB84484FD654ABDFFE056E60A,SHA256=3EE438040618861854E467B228468195027322F43D037789AEA94279A4214EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025307Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:17.121{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4F276FA2E01E7D82346D0281D15874,SHA256=E778201111AF7D4665DE72A626C8B29636221A7EEB82BFA865CE8CF693B444D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044229Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:18.888{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63F775EF6AA64B5351A753CE898356E,SHA256=2E0D5D524CE9CC8842F276428F3C398B9B4D3D515ADB6E9348283C245FB3E684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025308Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:18.121{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAE68AAF311764BE71DDB44990B632F,SHA256=880B0D053BF3E9EE176C251C7AAF9D37B24E25C152D24144A0D0E338CE0305AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044232Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:19.903{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08689BAD89AC11C783A55AC554FDA829,SHA256=785697BCED64FDD0A5888A424787529085718256BD196DC361A3D4D6291E6AAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000044231Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:19.321{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\SiteSecurityServiceState.txt2021-09-06 12:19:19.165 23542300x800000000000000044230Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:19.320{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\SiteSecurityServiceState.txtMD5=129544CA9151380E3AA885B74D327586,SHA256=48811B868A708251D7B85DC48EDD419D412FF791E9EF5A71940979F8F52C59FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025309Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:19.132{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4A8CDAA180DB456A70BE5263E29109,SHA256=329626D9254AD0E7233EF86572EE1ADA4CA883CB076AD886DD6BA8F4EA3293DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044233Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:20.920{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2EC057856760CC66E61BF68E841F29,SHA256=685B4941AFEEDE5079BA4F264F7A8F12EFA7C199D9FAE1909084ABBAF2A28270,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025311Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:18.030{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025310Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:20.163{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1246BA768854BB20493D9FAE824E3D88,SHA256=EE725E43B172972B6A1F6F5E333FF8B31A46E3AA425871FF20232F9EF6F8900A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044234Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:21.939{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE68443F0828D8E4EB5609E26F68317E,SHA256=872B2AEEF6ABA35D5471FC1B440498A10DF039D571CDDC75DEBFA58FBFCE39A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025312Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:21.210{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C90BA9919050AD585D934826E2FD84,SHA256=CBD5E88C2FE0A4210A3057580476909C41AEC6E957532212A5CD33CE261D7BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044236Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:22.954{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934A4621DD23A96DDCA36203E2430734,SHA256=260B707845DDB15446E7FAC6A323CAA0623438D9439302F34026156D3FBC392D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025313Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:22.210{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED579FEBB90D7EE28C19671B49F46CBB,SHA256=9789798DDAEB8C522D5B372B157A23EE2E8439908DF30FF431A024AE2172102B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044235Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:20.649{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51618-false10.0.1.12-8000- 23542300x800000000000000044237Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:23.985{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50EE7B947D35EC815BF6B14F11E3E90,SHA256=06C3C7EB97EF764B2F273B18AFA3EB14811C21F18B12C1B4E05D2F7415DFF66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025314Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:23.210{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4922C804533ABCECA776144B92590D80,SHA256=87CB53EF218ECCE46171B02249B408D038D1E21F89B76FDFD3D0C5B38C02A4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025315Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:24.226{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06993AE34B267DA9AFF20508C8BCC832,SHA256=0EA5D63603A631E716FDFC99D270BA4176076FA3DF8013798C14B3E6617F570D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044238Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:24.088{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-098MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025317Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:23.947{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025316Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:25.241{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C550DADB3A3B41E5529EC0D3BA1A364A,SHA256=2F9C22F332DE9AD835B2A73E72ADD79903B3A4B3FD74B85D475330922EFCA034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044240Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:25.101{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044239Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:25.018{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD8A3802FEE6090FC066958EE1537EE,SHA256=6C0FBC0EC6B5FE83236DD6FFD78EC3BD69071D8C24C2F63E69001792E44C2565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025318Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:26.257{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882C601A9647CEDFE75FA75D81BC8FBF,SHA256=105CCC1EB8F310A69DA8DE7D9707F2669EB71CC212047825CDDC7925BA6F562C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044241Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:26.037{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B6380D55656BC6174FA42EB02DFE0A,SHA256=7DF34DCDDB04427B0E77A044B04AB41CA904F8187BDEE0A2EBA514ED1AD6B08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025319Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:27.257{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71F8E3069D26275DE519FC436B087B7,SHA256=0CECB04B820E35D4D8C37554292665723050850022CF88FAF0607F535562362D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044242Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:27.052{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1494F852C07EDB33BAA7B4DA1F2F891E,SHA256=43714316099DC7EC5475600278D1A0CB65B38EE59EF7C144481443A1D5891C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025320Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:28.257{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463EC835A56D9B63B29B58906C9811F4,SHA256=F7AD9601BB26D8362DFA597F045696AFC97ADFBF2E1DAA1F415F29ED43E7A548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044244Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:28.067{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2ED8D135225FEA3980B444C000F968D,SHA256=03D78ED4B6B8CC8DA76C11248CE19E68E668FCCA03E9FDF7D40DFCFAB0A914E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044243Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:25.709{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51619-false10.0.1.12-8000- 23542300x800000000000000025321Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:29.273{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1686FA6CDE910A10FA57C8732C34E7D2,SHA256=2BC260B9DB73302BA603C153BD854D5E8AE47B634D6E04DD6C5268216DB9631B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044245Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:29.098{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2AA9FB877D30EB7C9E275D83D522D8,SHA256=F9EC0039A9E3D1C02A39714BE30464DB5E711790C4886663593B241293516FDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025323Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:29.010{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50877-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025322Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:30.273{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB0E8DBE6051FFC48B8B5D16525B42A,SHA256=88DC5CD82571D03499DDDB824B56D7659F33D77505DABD47D48B46F376A3B6A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044247Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:30.172{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044246Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:30.116{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF3306A480AE47D6FCAD712F67A3345,SHA256=A08437ED4D5D466042908B6965B63E73A3BB54C4FAC84EDACFFF5C5AA08885C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025324Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:31.288{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EFE9FE557BD9B3008F0FDDE1115931,SHA256=B7979CD8FBAA874ED301CF2F4772BDE61B95E43C30757B9B2B10F78A4A2AF54C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044251Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:31.988{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044250Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:31.988{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7A5884BE61DB4033954E834E6F59F75E,SHA256=01F29F5D8FC580E218A8DFB6B6E2B23BF4C68126768A6EF219DF26C063FFF554,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044249Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:29.750{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51620-false10.0.1.12-8089- 23542300x800000000000000044248Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:31.122{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2EA78B511AD1635804EEB7BEDEC49B,SHA256=5F8350FB4D98FBACB4D3BBEF2C0969E7BD9C78E1B132B22837BD68F21AEFFC1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025325Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:32.288{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3E9501B1D678BA428CC2890023F044,SHA256=F3EEEABC65A6946B82C5AEF0B6C349FF9EDD1BBC786990051430CC9DCE9958D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044253Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:30.813{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51621-false10.0.1.12-8000- 23542300x800000000000000044252Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:32.141{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4558CEC08D5468A09BEB46446DB4A376,SHA256=677FFBF69EF1F580CBD6E292F979CE79A3FD9FAC21C787BFE6905CF136D5D327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025326Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:33.304{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3E593B8C51BA71C83EA856080D3CDB,SHA256=EDA9F06F4EF8C6017B6F339EB5D4570A51607D4F3CCDA71A860E30A49DB4A7C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044254Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:33.155{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAC73243065AD11BB1575D3347AC623,SHA256=DCCE76697FE8DF77E092BCDC542630B5EF443EA7C8F96C4A2041BA9332E81C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025327Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:34.304{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26AB7291D9B54509A4B892883743518,SHA256=7280A933A23DEABE5CBBB4994A4F409873EF55F7D0C1C4ACD8A53C507431A2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044255Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:34.171{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559A325DB6A758000D8469ABE6DE98F3,SHA256=34B26F33D03B1FAB99F486BC7BEF0CA57D129BAB6F2164F9D349EFFB019B4122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044256Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:35.185{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64EAC08A92F8CBCFB071156CFDDC128,SHA256=45DD9BC4A1C08B9F3C1BBA2C665A00DAD9AE48C6D1F0F46461F66EF85D8552BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025328Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:35.319{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD31BD7D8F68542BA167279629F8FB6E,SHA256=ACD32C97947D733B993C59CC68B41617D7A299FA1D987F5131C9B09308E7CF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025329Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:36.335{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407A691CC5008BC58B7E04BE0D6C42D5,SHA256=24D99E36A0B2233B39EC352CAF25D42E1DC69B518DD1210DF46D016B1DEC4792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044258Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:36.200{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B5DD761B82EE0638A7E5A0066BA094,SHA256=2436627EE4BB4E38F66DAA59BBCC06C109FDFC321B6EBE754AB2F9530EC5869B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044257Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:36.200{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D298CC8001EB169F98CC2E6D3C406489,SHA256=FB1AFA870ED152BBB6A3A63F9B5ACE0390DABE6D45B41E0B9A0A548D70EAC34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025331Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:37.351{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F176539A44DB306E3D24016B5A7ECFC,SHA256=6D3B69CD66EAF8EE3D7E28DD960A25DB43FF166CF0CBCE94F639620BC5F156D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044259Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:37.218{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477CF728A98F2E9F2A9BAC0D6AC4EFCC,SHA256=4C41EFC1AADD12EE0EF3AF7FB1A5D3F596631053458A4749FC2DF95D47B320E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025330Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:34.900{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025332Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:38.366{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1C2401BD555EEB92EEA8CF552DBC23,SHA256=7A64E3571A60CF9D8EC5994F5A8B3B0597C78ADD8A423C14D98B0441EF9C9CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044260Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:38.238{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AC6B50076048615AFDEF947F160FC1,SHA256=A92F56AA5AF9ED6E26AE06813BDA20C28E09F6A5846A95E086646BC277B633CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044262Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:39.253{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F56A0911EB954710853712B3A734D65,SHA256=734792539CA277EF524E728E6C9011C02A9AEDB5C8E0206D19F3CDA951B2626D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025333Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:39.367{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483C5D5070A02065893B0E9CAA07CD9B,SHA256=9A235105F9F8C814ED3D368059312B74992B888837E0F37B4106A5D8AE423CD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044261Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:36.593{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51622-false10.0.1.12-8000- 23542300x800000000000000025334Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:40.367{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CFC10AFE89D1C6BD0B557F55DDD424,SHA256=5DD05EE3206AFCB4E43D1FD299967505239CE4EF2EDE2160637100DD396AA4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044263Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:40.268{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43E2169C52F0C1E411A873428774175,SHA256=158A0ECFEBBDCA5742282202A3B4F7371D0744E910B1D969FCC7DD39469D9700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025335Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:41.383{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788991A986C3BCAE0A75469E30CEE59E,SHA256=F9FEBBC91421A449C4F946F1A11062E9F5B43C160B82472C3C337FCCF12E6438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044264Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:41.283{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D02994ABAC18CD1316761088A1D374C,SHA256=E3A5B11E224CD9895401137D22D7F217EA429951A381EE28E03A8C902D382257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025337Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:42.383{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691DD2074B2D632DF73615A5B0B68F16,SHA256=12BE87D3D5CA3A4C17C075806C21ED20EB9A3ED5502CEFDF55DFD2C8B17B0563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044265Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:42.298{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6102F4380423A3D6BB52225277966F51,SHA256=215E5A5814F66FAB8B32D3CE52BBB5A2744226788504A64540CEED8A8DF57476,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025336Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:39.932{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50879-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044266Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:43.315{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D1B997FCFD3B1D762375E5383F7534,SHA256=57D79B635D75A2F68F93C19B7D5F5AB56D60F9EF8FC97BB328EF44BDEEA6D0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025338Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:43.383{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C446A489C683841BE1CD08014638BBA,SHA256=2C19B069378A810F5BFE4933463AA7F9B0BD586ADB9F86EA844205AE46788A3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044268Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:41.760{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51623-false10.0.1.12-8000- 23542300x800000000000000044267Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:44.334{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70DA0E979758284EF6C49039AC223A20,SHA256=35A2B69E137556291ACF39AD06A9DFB61335AA693B2A513FAF33D44CE2CEED5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025339Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:44.398{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE2F87D8626DF4FB4EF46E170437B29,SHA256=081A32F6A8C8B0BC1AF573F657E497EC52C78E3FA9BBACE25C614BF8B65875F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025340Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:45.414{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420DF6D86CD96D553816769F4BA5F3C2,SHA256=A8CC5EE09A0AE93D7A01B530913DFE9D4A312FE14803723A945F5842AD0D15D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044269Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:45.349{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDCA407433B79D5C35B1C135276A194,SHA256=CA67F13E683B55550601636C28254E5B58594D32E7015D420B38FCF2C0074995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025342Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:46.430{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E04E2FE69F338F84291E7D45ED2603E,SHA256=D0318B1A41FF9E644B7AB7D3B92ED1AEFA7A8D5CC1606F0C8D5C6883EABB309E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044270Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:46.363{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FBBEB4A61799EF9B617D4CE574EFEB,SHA256=2A5A30BFF571C3E757F1006370ACF0FC90152AF40714A20E45F20335A2BB36C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025341Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:44.932{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50880-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044271Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:47.378{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49A3DAAC439714DCB33DD10E2F29681,SHA256=C21D8E597845D42FA17CA4C52DE60E91B8F8CAE794473EA5F17D64E17649D9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025343Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:47.445{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40CE1C38BD43738FB52199DDA2BA43B,SHA256=4CBC7582EF2C65D9D349B37F1DBAA81C1A357A93E475B256C259688A9B0257FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044272Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:48.393{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2E9B339E3B998700624F553B334B8B,SHA256=0BA08822C26BDE215F47CBF2F6CEB4B5F8AE73678E43AF0825EDE23B67A0710C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025344Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:48.445{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947D07CD08BD0B9287AF65DE8F30E135,SHA256=98DCEE7C815B87EAEBAAC74817228E024E634FD194E32BF4D27F1C8257F725E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025345Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:49.461{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39ED5BF641CC121758F737D831B2467A,SHA256=A198DE932E2A671C504F5CEF7B26D43A1A7BE3AD1E5E3C6C8A404F67B2369290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044273Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:49.411{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9077D845692D7C22D202B85DCC66E71F,SHA256=0A6E3DDC506D8B94082E42280D72365C2F4E42C9C5062EDBA86AA7F75F26D5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025346Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:50.461{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84ED829FF8102AD583A96E88B32072E1,SHA256=FD4251B76A688138576B6DBD29231D230A3781272E3B476B80A99559AD902CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044275Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:50.431{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0419E111FF466C5DCCF521A6D9248690,SHA256=7171498036E37A7899CEDFD6FA6BC2D794589F40AEAB9626316F76877A0ABF3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044274Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:47.802{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51624-false10.0.1.12-8000- 23542300x800000000000000025348Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:51.586{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B30CBB7EFF2C0705E6799C2DD66C6110,SHA256=7AEECC8A4144FBA100AF546C2AC4514F6F4B0CF51CDD7AFBD453E5E0B5927336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025347Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:51.476{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C174F2B440EBE3ACDAED026A8B437F60,SHA256=0686279C2C5D6C418CAFAA881FD256E27FC030C9CC285C807923FF115D6EF044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044276Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:51.461{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212D6B92C628EFDBA7FF686D928A5107,SHA256=C993E83C718DE6A02D723EB4013A8DDC8387337BC7C6FD7C6DD3070D12616592,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000025360Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:39:52.820{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000025359Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:39:52.820{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00562846) 13241300x800000000000000025358Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:39:52.820{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31c-0x49a9478e) 13241300x800000000000000025357Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:39:52.820{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a324-0xab6daf8e) 13241300x800000000000000025356Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:39:52.820{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32d-0x0d32178e) 13241300x800000000000000025355Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:39:52.820{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000025354Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:39:52.820{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00562846) 13241300x800000000000000025353Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:39:52.820{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31c-0x49a9478e) 13241300x800000000000000025352Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:39:52.820{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a324-0xab6daf8e) 13241300x800000000000000025351Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:39:52.820{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32d-0x0d32178e) 23542300x800000000000000025350Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:52.476{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEE1E5C88B6ADAE37902E4770492572,SHA256=C1FDBF3CC6895AF2B46BA854290677832D25F0B582B0F24C57D3872D502B681F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000044278Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:39:52.729{323FE7D8-022E-6136-1100-00000000F001}492C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a324-0xabce5b00) 23542300x800000000000000044277Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:52.492{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6875B7BB237F3D0F228A1C4BE7FEC9A5,SHA256=7B8AAD4B9FB675CC2501C27955349E572144085FB321BB34F714E825CC2850BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025349Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:50.963{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50881-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025361Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:53.476{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50837E7FD053BCE7400A6083373CFC1D,SHA256=A13B497A36E930AC7EE9AB71A679F5D4F93673F3A1D1E6B53E5EC2B1229B439E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044279Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:53.529{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E1B9CB0666D3998A3C63BDB7637788,SHA256=A32230C44261B6ACC23070D6D0208BFFEF25E8EE9FEC032AEC75226D32BB7E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044280Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:54.529{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5E3A869A9FAC830D82B48A442CA3EA,SHA256=433E0698F3010189FFE3F314EDA09C0A93C5F973CBA4C0D7AE9DD96475AF02FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025362Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:54.476{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC245EFE28EC2281BBB4C2058A444A9B,SHA256=2754DAA766A4294DBC6DA9E1D126AED85D94CBFACBDD531AEB781335EDA58833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044282Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:55.544{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4064EC2C2D7183F1D3443DC41A80420D,SHA256=3BDD59FDCF903036DCD834FB90EDC7E11BE25910A0B1ED43397E8CF6A938E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025363Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:55.492{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916F3C8FA31D02BD3C843D126848F006,SHA256=7848F3D3A195BD87D23C49763E9CD282F8F3B0B4E6AC653E21373365E7BAD31C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044281Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:52.300{323FE7D8-022E-6136-1100-00000000F001}492C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-456.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x800000000000000025364Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:56.492{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CA09577A12FE503C56E9E475DCBB73,SHA256=F17B298999ABAF7A6AD6587F1303A7DF7BA43E352636AA39D265FFF48701057F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044284Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:56.559{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CBFD87D55CB340A248A572668F00FE,SHA256=ED259D9EA39C65826A643F2CE3485E86D14983EA63E2049C8B0837C8A7E721F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044283Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:53.738{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51625-false10.0.1.12-8000- 23542300x800000000000000025366Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:57.508{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6475D9625A2AFA94A2131F6246CA6C30,SHA256=40F9042DAE8BECD6EBCE71A237949CFF4ED3EFE810661B798E0D2E86807B60AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044285Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:57.574{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC292A031514EE556B3F96CEE04846B,SHA256=E1A82C8A3C873BFA342F0D9675D696140CE3BBF15F7843B0393830DD8CEA7B40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025365Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:55.964{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50882-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044290Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:58.608{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB125C0283E3C022FA55DDEE548F60D,SHA256=2FBA5628C0FF66A73000726BF5B3FBBECEBC944FFE04EF818952296CF5AAC986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025367Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:58.523{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056A4E89F569A89C6CDBB466298A7295,SHA256=8044C1985FB2523413260161B9AD7BCFE907DD3E7EC9982FF921A952D2B544D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044289Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:55.989{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.14win-dc-456.attackrange.local58955- 354300x800000000000000044288Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:55.988{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.14win-dc-456.attackrange.local55566- 354300x800000000000000044287Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:55.987{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local56711- 354300x800000000000000044286Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:55.987{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local58294- 23542300x800000000000000044291Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:59.641{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6771ECAA2155391E79222E9DC40025A4,SHA256=87C43E171DF331F5E7F95440543DE7E8ACA56E2FD2A9F9253045EB3F194748F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025368Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:39:59.528{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCBE91C6671FB976E95B240CE1F1EA4,SHA256=DD4C33487ED462A898A36EE91B7A5DFFD68DD28153BB70696F1B6E811024D443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044292Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:00.672{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC9CD7D657AA33504094335A33FF2D0,SHA256=0DA0FD8ECA24B393DA8B206D924DFDEE895476DED1479846F1C28393ABBCB8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025369Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:00.528{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDAFD20D812A8868A93B4D839A86B99,SHA256=3C0FDE7053AA4C2C5D3BF3ABB7AE8741F1DD97B20D5A4A3FB8BA325DCCE9961C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025370Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:01.528{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D0E30918EE235D5F5D7FBEB39BC174,SHA256=F22C16DCA85D50A069CB1A745D159E31B3EA85286868D1369FBDEC36076DFA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044294Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:01.687{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7EEED34643E6A468D06A1CD4A155C3,SHA256=2B09C88B425E014F40425A05196FD0183B942640F88BE7E6E120016FCEA63AB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044293Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:39:59.750{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51626-false10.0.1.12-8000- 23542300x800000000000000044295Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:02.692{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3EB9BFF0FD89AF6F6079DE7CD0C9BD,SHA256=F4B5562A7A7FA3A49BCD237172858903748C9D290E2C0154A081B9A1369DEF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025371Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:02.528{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D218FE3404B800C0FAFBC044A5A2BBB4,SHA256=3174CD01DBCF7DFD3AC372294E2C1A1A9378423346EBF8A01E58893DDF59C7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044296Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:03.710{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDEB1EA4CFB6F6D729A7550FB779DA6,SHA256=A93B82A14B4ABE3484757A8E9DB162F07E0D1949DF4A52DDE9C4CA8AEF2841F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025372Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:03.544{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E86D2B27B9093B0B285B60471F18ED5,SHA256=B7188F910397F6F6167C68F31892641F8793795DA7A198086082D136CCF1B761,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025374Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:01.937{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50883-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025373Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:04.544{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA342750E872FA2F9DE87FEB10F56627,SHA256=5943B8ACAA2A4BFA97175DEEF6F333FAD9D3650A3595A02F6E31B187082DA36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044306Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.729{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341FB183879136710E3FFF3BD44F857D,SHA256=106D969953FEE60BC0BE71DA838146835867F6AE06A4D49956B4A0419D964EE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044305Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.628{323FE7D8-1A34-6136-D108-00000000F001}61243360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044304Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.428{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A34-6136-D108-00000000F001}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044303Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.428{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044302Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.428{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044301Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.428{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044300Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.428{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044299Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.428{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1A34-6136-D108-00000000F001}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044298Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.428{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A34-6136-D108-00000000F001}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044297Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.429{323FE7D8-1A34-6136-D108-00000000F001}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044325Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.744{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CED3A795D650B415E3C6624E7A98703,SHA256=77555A8475C0B23B37FBF00CF7850D27939F5FBB5CECBBBC9F2FB4434BFFCD32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025403Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.965{FFF7FB96-1A35-6136-4B06-00000000F101}24122392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025402Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A35-6136-4B06-00000000F101}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025401Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025400Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025399Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025398Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025397Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025396Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025395Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025394Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025393Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025392Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1A35-6136-4B06-00000000F101}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025391Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.809{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A35-6136-4B06-00000000F101}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025390Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.810{FFF7FB96-1A35-6136-4B06-00000000F101}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025389Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.669{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025388Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.544{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E2878F3C7A254B2335B78BE58B96CB,SHA256=335DA7701CABEFDB1C58ABAC15CEB52A73CA28FC86518DB92557273523F62326,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025387Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A35-6136-4A06-00000000F101}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025386Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025385Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025384Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025383Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025382Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025381Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025380Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025379Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025378Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025377Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1A35-6136-4A06-00000000F101}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025376Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.137{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A35-6136-4A06-00000000F101}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025375Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.138{FFF7FB96-1A35-6136-4A06-00000000F101}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044324Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.612{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A35-6136-D308-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044323Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.610{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044322Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.609{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044321Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.609{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044320Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.609{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044319Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.609{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1A35-6136-D308-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044318Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.608{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A35-6136-D308-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044317Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.608{323FE7D8-1A35-6136-D308-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044316Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.429{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A66650AAC9A6C1BABA4F328CFE89AD7,SHA256=CF6E059690FACA96E9F9CA5F469F6C6EEB75A4BD3CC7DEA7B1FEA6FCC83931C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044315Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.429{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB052D71DC62553683649A895B814259,SHA256=71EEB156943D7B60C418E08F6AFC8FEFBF8CC07E8612FCE2BD1EE0A97767F45B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044314Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.013{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A35-6136-D208-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044313Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.011{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044312Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.011{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044311Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.010{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044310Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.010{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044309Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.010{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1A35-6136-D208-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044308Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.009{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A35-6136-D208-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044307Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.009{323FE7D8-1A35-6136-D208-00000000F001}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044328Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:06.759{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D2B0D62D1F7CF5FFF4F5B42760581B,SHA256=86315D639EA1C2572B88B15855FBE9A32740D279C79526BA8B04E61E815BF59A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025419Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.590{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DB8569714682542E86CECE82893427,SHA256=B49C6C45E16440E53B288985AE0AAA03FDEF2A85D36B6CAB9F9A1C6AABEF86FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044327Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:06.591{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A66650AAC9A6C1BABA4F328CFE89AD7,SHA256=CF6E059690FACA96E9F9CA5F469F6C6EEB75A4BD3CC7DEA7B1FEA6FCC83931C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044326Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:04.769{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51627-false10.0.1.12-8000- 10341000x800000000000000025418Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A36-6136-4C06-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025417Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025416Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025415Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025414Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025413Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025412Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025411Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025410Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025409Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025408Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1A36-6136-4C06-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025407Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.481{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A36-6136-4C06-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025406Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.482{FFF7FB96-1A36-6136-4C06-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025405Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.153{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE9E1DD7A6BEA284EB88963F90CC02A4,SHA256=84204A92BF8221225D1E9C1F0095C20EC485202A911FC562AD32D8F2C5AEB44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025404Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:06.153{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3675892FB11F036DD0252271E8D9DF07,SHA256=4DD04ADD215255CA867C08F27669A8EE706422951A28B4538BD47422E94F15CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044339Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:07.958{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A37-6136-D408-00000000F001}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044338Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:07.958{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044337Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:07.958{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044336Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:07.958{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044335Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:07.958{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044334Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:07.958{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1A37-6136-D408-00000000F001}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044333Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:07.958{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A37-6136-D408-00000000F001}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044332Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:07.959{323FE7D8-1A37-6136-D408-00000000F001}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044331Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:07.790{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47C1D07063D3A46DC35258FFDFA1E12,SHA256=3E4C28E4F0AC96F6AB6FEEE0C9B1826B26EA6779A5C72233E689665FEC6B81F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025436Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:05.500{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000025435Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.591{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3E24812855C2310BEA14BAFC2BAF35,SHA256=6F903955CC176A311AD186F61314D33ADD32A5B9C3C197D9A6340672986F9609,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044330Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.169{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51628-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000044329Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:05.169{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51628-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000025434Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.559{FFF7FB96-1A37-6136-4D06-00000000F101}37643260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025433Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.544{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE9E1DD7A6BEA284EB88963F90CC02A4,SHA256=84204A92BF8221225D1E9C1F0095C20EC485202A911FC562AD32D8F2C5AEB44C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025432Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A37-6136-4D06-00000000F101}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025431Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025430Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025429Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025428Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025427Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025426Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025425Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025424Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025423Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025422Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1A37-6136-4D06-00000000F101}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025421Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.387{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A37-6136-4D06-00000000F101}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025420Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.388{FFF7FB96-1A37-6136-4D06-00000000F101}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044351Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.978{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1720EC096C7809A6E08920748DBFA3,SHA256=C59D4B988F6610E8AB42004A31CDE03FC95225042AF23A262E4BBFA977EFB3FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044350Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.848{323FE7D8-1A38-6136-D508-00000000F001}39563832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044349Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.813{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83206A07A7C4CAB140FAC65DBE00572,SHA256=BFD33ED2A8E4332031D7949B612F234669FEB5DCEDB8860CE360A94F1E50BCE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025465Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.872{FFF7FB96-1A38-6136-4F06-00000000F101}17043296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025464Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A38-6136-4F06-00000000F101}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025463Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025462Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025461Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025460Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025459Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025458Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025457Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025456Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025455Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025454Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1A38-6136-4F06-00000000F101}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025453Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.731{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A38-6136-4F06-00000000F101}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025452Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.732{FFF7FB96-1A38-6136-4F06-00000000F101}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025451Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.591{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FF1031FACD68D0E6700C86DD0916D2,SHA256=F1DDB2624A3EFB1DE51804C5E33FB23226DBF5B291E48126ABD07C0C143C1063,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044348Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.641{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A38-6136-D508-00000000F001}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044347Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.641{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044346Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.641{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044345Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.641{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1A38-6136-D508-00000000F001}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044344Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.641{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044343Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.641{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044342Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.641{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A38-6136-D508-00000000F001}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044341Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.642{323FE7D8-1A38-6136-D508-00000000F001}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044340Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:08.237{323FE7D8-1A37-6136-D408-00000000F001}61281936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025450Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.200{FFF7FB96-1A38-6136-4E06-00000000F101}2956500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025449Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A38-6136-4E06-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025448Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025447Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025446Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025445Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025444Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025443Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025442Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025441Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025440Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025439Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1A38-6136-4E06-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025438Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.059{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A38-6136-4E06-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025437Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:08.060{FFF7FB96-1A38-6136-4E06-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044369Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.861{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A39-6136-D708-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044368Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.858{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044367Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.858{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044366Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.858{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044365Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.858{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044364Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.858{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1A39-6136-D708-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044363Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.857{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A39-6136-D708-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044362Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.857{323FE7D8-1A39-6136-D708-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044361Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.840{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC49C6C064B6A902B623414A4552D66D,SHA256=BD717C54C8B50849A63A23A28F3D3FFEBBD5B7DABB753C2AA34DCCBA8477D861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025481Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.731{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54251DA1536B3A5E24EBD5C50210799B,SHA256=09567417FBF4C5F3D7EDE33694CE96E1DCC2D09069BFD9C21A74F9BA86396AA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025480Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:07.064{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000044360Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.340{323FE7D8-1A39-6136-D608-00000000F001}48166400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044359Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.162{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A39-6136-D608-00000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044358Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.160{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044357Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.160{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044356Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.160{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044355Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.159{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044354Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.159{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1A39-6136-D608-00000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044353Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.159{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A39-6136-D608-00000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044352Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:09.158{323FE7D8-1A39-6136-D608-00000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025479Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A39-6136-5006-00000000F101}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025478Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025477Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025476Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025475Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025474Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025473Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025472Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025471Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025470Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025469Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1A39-6136-5006-00000000F101}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025468Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.403{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A39-6136-5006-00000000F101}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025467Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.404{FFF7FB96-1A39-6136-5006-00000000F101}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025466Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:09.075{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B831C737A3049C8A2D46BB37A003890F,SHA256=5989EE30931D3102D94197BE90A1F7874795CD9D6CFC29375E66DE96947F4C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025483Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:10.684{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB2BFA692D13B3AD4D1E934B8BF9EBB,SHA256=2CC9F820A969CE44D3BA4533F89447C68F82CD4F5824D62ADB91143278F164AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044371Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:10.877{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD20B1233947EDA3CA2E62BA573671D,SHA256=604522FAF96C8E40ACC012E6B13047588B0568C23169DCBBBD16C7AD80AF0BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044370Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:10.177{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACC05609933212E5F884B0C0FF7936E4,SHA256=1A750A07CE4B149E4EB1E6F3535E7D21CFD53ABBAF39AF4D0F92408056C8A4CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025482Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:10.450{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A599F4D11C5F2E773ECCA34BEEB1773,SHA256=7B0B25B5485AA7262A0972759DD8F840087F22FB02774CDAAF4B0CC0935617BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025484Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:11.747{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B980D731ECE29440577120F07602147,SHA256=4E6403569FD9A4481C8DC6E87295E9B6513E3D6B47B6EC8C85D1924850092B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044372Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:11.907{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE9B0F60BF9111025A73FD17BD80000,SHA256=A1E2049805C7585C1943F9111FB07DFC52DFEA36AE5D85AA34175F4A9D2F47E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025485Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:12.794{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BF1F7E2BD15866965CE3124AB7059A,SHA256=26916604DE711FA15086B2EC954CAAB4E036F5154C7283686DF919124A9E0DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044374Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:12.938{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F55E7C5D0305DA7C9D6F21BC778F5E,SHA256=1CA9C3509EB356804551F48EC1CF0C059807C0A7495D6040DC60A603B30F8233,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044373Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:10.717{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51629-false10.0.1.12-8000- 23542300x800000000000000044375Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:13.956{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765FA337D213BD2F201DD33639677510,SHA256=0EC905EB39C098CA183AA8D138AA31016730D254D1DD8F7708EE43E710DD166C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025487Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:13.969{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-091MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025486Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:13.810{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AFA3611BFF4514C993C3C285444E3D,SHA256=2E4F3FA18BCA60B5C9A71E4969B8FFECF825F94088F86DA92B1A2149A2A35B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044376Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:14.974{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E3EDC088C15B7C7C86A6F5D5EF5714,SHA256=CF093035E7C3DF40AEC18062CE89DC45053D79C0B97DC1AE32A23AB7DD91CBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025489Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:14.981{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-092MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025488Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:14.872{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C86F3D7DC78CBCB545A12D25F5A2D4C,SHA256=10B5A5A5359741BB9038F0C6675223FDF0A608D52893243525A957DDD9B801B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025491Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:15.892{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF95DC38FE25723A4A1ED7074B9BFC05,SHA256=773877A6BEEB355192E4F21C643552990EAF8BB8E703429B716779EC050CDFB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025490Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:12.874{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50886-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025492Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:16.924{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF3EE57B6DD5FB87564DE3F187150FC,SHA256=ACC5625A2C7695C41F90F45C29ECF33FD3181D03C8FF87F12CA3424CA6C8A797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044377Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:16.005{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5156FF54E0324C407062A51593D9ED1,SHA256=0B739A7AB9397B6CC4FECBC1F069D0E70CA9D827A013682819958FE96CFEDA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025493Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:17.970{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A453D991CFDF36E69254AE657BE80D,SHA256=4388DEE9FEB333E8707E33A95A05FC3E7F9792E25730201F2A07D215C6A54106,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044379Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:15.745{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51630-false10.0.1.12-8000- 23542300x800000000000000044378Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:17.035{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241394A0E426901CAC6996F7F5731CAC,SHA256=130CFFB5831417F7C0A1D624EDA5ADCD67C261DA58FB9BC24A9E565F739CF24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025494Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:18.980{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23771DDB657F135C490BA26D8ADB446,SHA256=2DC7BCC83755056EF246CB43B7A9FB99B40790178D33B1A34937DFC2EBBE291B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044380Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:18.053{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9216A6D49FF0EAD6B9EB223D42D2B943,SHA256=BA4FA49E99F96A2154311354D416BD65B2736E1DD2EE6D6F4E1B9E329F40F863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025495Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:19.996{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE62C3D669EF5F9163DC72DD3DC87799,SHA256=35D7A6CDF35E13C6D5923C9EC30856FE600D876705D98D27AC424337E6080576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044381Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:19.071{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F39FCB1A2727E09A3F93419996EB315,SHA256=C19BA712639E4865E9212A99D331BF89C82A7CB224E3460797313318A4194CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025497Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:20.996{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAD5BC6B548BAB119B9A3FB4897ED1D,SHA256=0FA8BD04990254B25C858E1365B55DA6E637E910800E39177BA4ED7E8F1EDDBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044382Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:20.102{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B18FCFAED2182AAA6AE514A2FA70C3,SHA256=BAAC7C7B703B2D531D4B87609431ED2D5CEBC5388202A26FAF061D5AFA247144,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025496Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:17.912{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50887-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044383Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:21.117{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E469CDA2FAA2183A4A191ED41D65E729,SHA256=5EFBD1B49FCC844949BFCCAF5F49EDDCA6244EE526E7DDFCF889F5B87116CDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025498Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:22.011{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB08984C59DC29CEF3C8E0B9D0B2CF9,SHA256=EC35A4FA1B76AB81918A6F0DAAF669FC74FA3FFA53FF71C21FA27F801E66E0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044384Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:22.132{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E225EAFCA33787792EA8641D24442BB,SHA256=3D9C1C6035107E1CD2D8F1916DB0024900D06F13E30B85F61E4DED33B05F9164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044385Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:23.169{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6799B7BB0D39047F5C534708AA6EA0,SHA256=F846F7335BC49B6D966F27B9492C6214869774C3544D91D5AE2D5BE9E0D323AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025499Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:23.011{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69DE48CFF5E3AA112650E0D5E75257F,SHA256=5D0800A7F77F547F00A2D5D36DD884A1844E5D2B0D56EBDB25C0430F7AF8B030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044387Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:24.199{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2E2FD0E2D5B1E76AE88628C18A0B8A,SHA256=6DBB0550607683469ABE050C4C091922253301D2E45F5C77381F1FA99EB35B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025500Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:24.027{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1927E89632F79BBAEA2CA46DBE431580,SHA256=DECBB2587741E08742858F1A8253CE1A83BED4AA53C6F73F7F9F1D023B39525C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044386Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:21.641{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51631-false10.0.1.12-8000- 23542300x800000000000000044389Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:25.633{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-099MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044388Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:25.200{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4BA08A09DE806AEA313C63EC93F827,SHA256=229CAE4F9A3EDDA90775ED02B8C71A56B7F84B87312186B0D3BADDABC1287E8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025502Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:23.873{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50888-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025501Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:25.042{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAA2D3C61AEF41210C82035B4E17870,SHA256=8D7886EA60CC22E242BB2E59E8564E5908A303FC503E4FD9C767EE5C979FFD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044391Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:26.647{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044390Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:26.230{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B6D67DC1249E6B5BA8290B9E938438,SHA256=1542E3F570B2F55AB9956970C4D6A49E77C19DA43DDAAAAA9D096EE07BD38BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025503Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:26.058{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D34FAF3471AEEC6C744BD604F4EFCF,SHA256=E0622813F5C25953B4B46ABB283E74BECC0A74C48A28A0C358685A404C9BE2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044392Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:27.232{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FB6E1624CC6B12E47993F4578521BB,SHA256=846CEE5D6075995437D8940276A2060B7A34C5587418EEA4A66A2DE4ABB83084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025504Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:27.074{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13076A53DC087668538FE3FB704AE4D,SHA256=E22D520671B42A3B2CB4AE7B7EE10221C12F97167553B7131FBA8B0A2215289F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044393Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:28.267{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B63E461E126C509367552EF6914A036,SHA256=D37A4D722970ACF12D34B2A2147605F5D8EFA874A773D0BAC60B7686950CFEF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025505Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:28.089{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3227C8B72AA67F962CE86AAFB8090825,SHA256=EC2BA23096BAE29992BF01B96D063601674004824F9819357FB81F4490FBBDE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044395Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:26.861{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51632-false10.0.1.12-8000- 23542300x800000000000000044394Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:29.282{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A0BC1C974E06BD6479D8896950AC0B,SHA256=B92DD9B8A969D8B3CE98626F72D1F09C152624923859E5B1CBED2552DDEA4806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025506Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:29.105{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA871C2FEE9A20E7D6A6D3C45DDCBFD9,SHA256=F42BD85E724105DC6639D9E3377A86D388A4AE5E96C27D54A4ADBFC10E96B573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044397Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:30.297{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F58A084675511FAECAB3E07E53DC137,SHA256=F8E3DF504939220B60BB5ADBE2181B051FD49DE9090359BD27EED029D880C8B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025508Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:29.076{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50889-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025507Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:30.183{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA26E9D26FDAAFA6675B4C4653C5A45,SHA256=57FE99272BB816DA6DA515D5AC983DD6EF47A42B75F6EDD78F4BAEA2B5705A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044396Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:30.197{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044398Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:31.297{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8865218FC2D966C1A67E03F8178811DA,SHA256=B42809D6DD9A9E27A0DC5048ADAAE1153E5ABD881D4C706BD1452CD454BA62B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025509Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:31.230{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217CF14CBB22DEE3D85619ECEB676D49,SHA256=72E966AA3D340AF4E27F0DC3B5139045FFD68F5D67ABD49CEC82C37158021427,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044400Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:29.775{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51633-false10.0.1.12-8089- 23542300x800000000000000044399Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:32.328{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EA1AB361496C553A165804D77EE9A8,SHA256=3A866ABC01191422D2BE6904732F9D6CD8646EB8E18A6954F1F1968BC5EC95B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025510Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:32.230{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C030CD6803DA0BC8238EE7268928227,SHA256=1639FE86497C0E374EB8DA22DE5649B072C629DFAA59118C5A150FBC950BD744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025511Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:33.277{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3B62F35CEB49DC77CCEAB6FBD0D7B8,SHA256=985D4A92C35D6EAD5E7C8710992BD7EB4EA6F85B713EB677DC60ADCE7F64E70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044401Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:33.346{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27340EB61E1C1947111987EB0D5AEF8,SHA256=151BFE7BAFDFF6360F15CCA83515B1E82591BD8DDF5EFD69F5DF4E1A00CD0B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025512Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:34.292{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF6A66AF8A05C2D5779F46FFA87473E,SHA256=F22AEE9204E68B2E23EDE2BC8BA889C74C9F9CA82FCB1C68992F5E0B835D9926,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000044413Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:40:34.510{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000044412Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:40:34.510{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005e5f7c) 13241300x800000000000000044411Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:40:34.510{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31c-0x62564396) 13241300x800000000000000044410Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:40:34.510{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a324-0xc41aab96) 13241300x800000000000000044409Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:40:34.510{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32d-0x25df1396) 13241300x800000000000000044408Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:40:34.510{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000044407Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:40:34.510{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005e5f7c) 13241300x800000000000000044406Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:40:34.510{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31c-0x62564396) 13241300x800000000000000044405Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:40:34.510{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a324-0xc41aab96) 13241300x800000000000000044404Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:40:34.510{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32d-0x25df1396) 23542300x800000000000000044403Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:34.364{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C54E660251847AE5A1844DA5ABA1D7,SHA256=D65C02A9784880DCA57CF450F42575F9F1FE54CF94E71B179E2E959D5E53ADCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044402Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:32.658{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51634-false10.0.1.12-8000- 354300x800000000000000025514Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:34.108{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50890-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025513Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:35.339{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57067BC13AB340D9A8EFF33C40F968BB,SHA256=B98449CC0193913C1B48C5C9395CB621C7540C87CB06AFC77870D88DBB539B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044414Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:35.395{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267C40CE04C9324B948D65CAC2E7C762,SHA256=84FE28DDAE2ACE3DBE2DB25E3240DBEC21187D7EC5FB9F6DF1A5C7FB928EBB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044416Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:36.426{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A764167A9DCDB001F9985A7F037D77C,SHA256=70DBE05499564B1A71BB221C2B51E4583D386F64FFCFD10E88FA166997C6FF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025515Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:36.355{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D95CF5B4CF5EBF4CBA14AAE2A5840B,SHA256=932A6C8CBA9D1BCEB11B36ABA0AE798E3B71EE50AA205C63716FEE5326FDBC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044415Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:36.210{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0C6590BB0FDD6A0EBD22FE04D12F8650,SHA256=185CBA4BC7F6E100926D66D6247091D34EA430CADFB0D456E49EDA1F55BD19BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044419Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:37.444{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B3466A41EB8CB93D941F36B24876AB,SHA256=74F035936C461C22DEF14CD84A49018CD15199EC9495EC1983EB7DF11F958BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025516Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:37.402{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF096269B5F274EB1D87F07032E2671,SHA256=45ED1DF921B5800AAA6E2A63E11FACBAEAB77868B106A178DB2918463F7EB317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044418Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:37.210{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE176543C44EB978E885EB77DAFCB769,SHA256=6EBBA66AD6A7EEC95216D6C43A3ECFEC7B50346D4BECEB614F010FAFA2EA575A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044417Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:37.210{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1182936DAC3C905632D409545A6CE5AF,SHA256=B10E4A104824FC69A4EA61D2027809D6AF65731D32E2733470718A823329C1F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044421Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:38.862{323FE7D8-022C-6136-0B00-00000000F001}624812C:\Windows\system32\lsass.exe{323FE7D8-022A-6136-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000044420Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:38.462{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63936DF9C5BF7C972B5F77C90CFDAE47,SHA256=831023150D12D468D0CA62E851F4A9626F8D7ED37B66CF719858DCE5BB428002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025517Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:38.449{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5926E3384773DB32E98BFD47FB523E,SHA256=EBA2810E494B181829EE68FB6F4AEA3B8211C2366C64C95A4A563D6709B0A2FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044424Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:39.761{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD1D7A1EEAA6F7725D70922CCF1BFE1,SHA256=FB2ED659FDF8430EF83E1334F1CCD5B78932EDE45A9E06AB26FCC9EEAC456F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044423Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:39.761{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE533C492EAF7085F9FF0494FB1D0E3E,SHA256=EC1E0FBE264031485D011FBACBA66BD3F2EF08F0ED85BF38EC1675AE56F05CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044422Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:39.477{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D822BE77E756721F3A50D6D32F669C,SHA256=B73686E15C203FB50F8ECC3DB1ECBDCEA6D618A32ECE014188E353E4E369C22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025518Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:39.453{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230836006AD7E9EB5A30C98DA2980C05,SHA256=84E40BDECD13624DA6267D0509F77B6113860F5F37618D3D5A07529989C77712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044432Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:40.507{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04A66DAA095C78B6A8E59A515612FB9,SHA256=0B39054364C365D32060A1A5563C64F1A0F4978CBDA6E3DB1E15D837BAF2DF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025519Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:40.484{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FBAAD05D7707E35A65FA28A7D8EFBB,SHA256=4ACD8CA1A2E4EB04EEDD891284C899B3A7BEFB752121ADB458770D28875DBDD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044431Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:38.459{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51638-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000044430Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:38.459{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51638-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000044429Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:38.345{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-456.attackrange.local51637-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000044428Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:38.345{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51637-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000044427Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:38.336{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51636-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000044426Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:38.336{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51636-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000044425Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:37.787{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51635-false10.0.1.12-8000- 354300x800000000000000025521Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:40.065{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50891-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025520Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:41.484{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B97B13AE2B62AEB30FA77DF604D993C,SHA256=05C51DDD57DC4A905128C2F208BF7E049F4F4C153739269EFDB1879E39ECD67C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044433Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:41.508{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF34EB21281D0C180B177E45042C189D,SHA256=B8369F3A03DF19F01187DBF0868F3A560C5D846D4A911EA10809665135E3CDCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025522Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:42.500{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94E866B065A8ED241C9E36D69DA5207,SHA256=5BE5093AB755432E220B94A410C3CA96B6F3AFBC6DD4E5C1D6BF291B8ABF94FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044434Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:42.522{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158535C7494CC8D1823BCF7BAD853F72,SHA256=26F29103CDD62AC905848D68494D01828C119D545B3B4673C7DCCEE84FFB72DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025523Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:43.515{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69FB3293B6AC2EA92844D49E60A09166,SHA256=121B491765B916A722DED5C054241763C81282542212CD7D2963174D2E88DF78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044435Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:43.540{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43940C75C9DCEA56573A4251622619B5,SHA256=73B01B577881F1FE375D5A285E1BC66304C7CADAFC2A0E29C5E592571400ABEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025524Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:44.562{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A4460F64A7AD4F4157B529F76ED9AC,SHA256=BAC82E10614A55B63B7CD6771C95E449D1276EFCD067AD4DBD496FC6B6679D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044436Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:44.574{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBE668E5EB7CA38D2A4D7D68C36CC57,SHA256=892CB546FDD4648D7290BC140BB7537A46C2728C3F449D2499BE377BD5B48AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044437Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:45.605{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65E9340AB3867AA335FD374EBEF3AC9,SHA256=D43FF31897E7F31B21AF9F2376CDD5EDE1233067C750F48348183986C08A0A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025525Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:45.562{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69344EA360CD6C91BF717230209B3C1A,SHA256=5AD8FC9B61325EDC7D6BC08E9BA527ADB46019657A811D35EDBB45F17DE013E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025526Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:46.578{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A84E9D8D146EBD602A90C3373357A34,SHA256=24F9CBB3B79AA0746C87CB848C4C13451D7CBAC74CD048F16B547A0E737204FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044439Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:43.668{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51639-false10.0.1.12-8000- 23542300x800000000000000044438Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:46.638{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8623E8F215C3106A0A9A8A8A690435ED,SHA256=01C94C2E1A727E38F84CB4BF629F8516CFBFB1DF8E9026F861F7790B12DAAC7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025528Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:45.909{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50892-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025527Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:47.578{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A827078615AD7C13680DFB71B017A9B0,SHA256=4445994F11F584669CC403D7885641D8DB77ABF3B37A896D44317FF3609AE99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044440Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:47.656{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013C19EFF39E4E8C87D72BF15776CB3E,SHA256=F74DB41A10F155B82FEDC300C2D1527BA780FA22C1304750B4E67A3D6E4FC38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025529Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:48.593{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422F2D065FF2C35A99AD5E7E3DF84FFE,SHA256=9029CB95537F990653EFF63C86EDDF3FCA52B1F13B33051DAB5A80448B48C8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044441Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:48.671{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC62D8331BD5C9BBB4896ED144C53BA1,SHA256=C0FA349CD08B1AA0E7F7352183A62AB247A721B012D4A67E5DAF2723B0846A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044442Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:49.686{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD334901EE5462534D31B7F1A6485532,SHA256=44CC1C334109603D5983A1EC515401DAEFB21B9274C7261C24A8CCA99CF755C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025530Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:49.625{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD90640CBB9D1C5A5BCE9564DD9E930D,SHA256=88B9F61858D4DFAF80CD7FB97614C7E44F825FF46BDADC5C64A5E5F0248C6CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044445Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:50.701{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423A97F6E7FC0D33ED8E65F835D42282,SHA256=8010B5C20B61078BD0C5A9D2AF35204066A149BCEC9D390457FC8B399A9D2641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025531Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:50.640{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D7035DCDCCFF185A7F74A9A541077B,SHA256=F177105E064AAA7A534EDDA50D71F3A56B51B12E126EB066921D32EAC7E97C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044444Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:50.617{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFAA33B0B8DB071F1C7E93CE96BFF94D,SHA256=5E0FAD2A0B1BB877D1FAC71CEBECCEEC2C2744DA06DEA2A4E59E4C2F997D85E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044443Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:50.617{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD1D7A1EEAA6F7725D70922CCF1BFE1,SHA256=FB2ED659FDF8430EF83E1334F1CCD5B78932EDE45A9E06AB26FCC9EEAC456F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025533Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:51.656{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFCEC477A1F0F58463352A76D97600A,SHA256=1E5BA529F41278A8BE5741196E49D886E5C7B69E07E87444C5792A8C937A408C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044446Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:51.716{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4346A2FBE684CE204D8FA2814A61FE65,SHA256=2CFBBD9D803D134DD001277C551C6642796E83665E183E3C37C0CCDE1C80271E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025532Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:51.593{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=94DB929A91006AD8F9BC17BD612ACE28,SHA256=374E1164B3EB7BBCE75066A68BB5C6798DFB5611864F3600FC9743D6973D6E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025534Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:52.656{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DD9E862F233F9F209215C9CA18DD8D,SHA256=24F3CB51903A890F524B3C3D0E61E27BE865370F2AF942F160102BFD98AD34D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044448Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:49.663{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51640-false10.0.1.12-8000- 23542300x800000000000000044447Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:52.753{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFB8DA49062C873AB55D8CFBAA8042A,SHA256=54609E1CCC97AF7A574ECC977C5C53E7CB0F56F15050E488686A14133A9FAB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044449Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:53.768{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E38C91794F7B69FAF716DD927452D5,SHA256=6E7A8AAE58C24203C99F4C5EE69EE5EB02E9C6BD639ED6AED5C09F5EE4383682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025536Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:53.672{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA857D62F41E7CD4E4CE4D4BE6458FF2,SHA256=4D7A011D6A8FDF9BAD1A5EF54C8A41A6BC3A0C5E226E10ABDFC22E7460F80F3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025535Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:50.940{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50893-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044450Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:54.774{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952A9E4D9847AE034D006800F0FFD208,SHA256=00FA3E0C94A900D6B7F0192D8CD82B12BD3C4D35B45F01F31B6D3DC9C8FA9D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025537Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:54.672{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446E0A4EF1AB8CA0C3E45695FC10FC64,SHA256=1B3D6396C58996DD127327F3BBF02A6612DB39267DD93ED8A0D3B2105E85EA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044451Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:55.789{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9311A83CB4C2D29F0367AAE74DAC4D51,SHA256=A33E316C5DEC1E19EBEEBBC7809864A12141F05689B1798901AA76B70D4BF542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025538Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:55.672{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C8CCF7C600FD7B93172931159110C7,SHA256=B60AEA440AFD153312FDD79C95B1CF9EA78550A0BE4FBC82ABF1282998F923CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025543Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:54.888{FFF7FB96-0422-6136-3A00-00000000F101}3056C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50897-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000025542Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:54.794{FFF7FB96-0422-6136-3A00-00000000F101}3056C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50896-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000025541Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:54.754{FFF7FB96-0422-6136-3A00-00000000F101}3056C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50895-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000025540Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:54.754{FFF7FB96-0422-6136-3A00-00000000F101}3056C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50894-false169.254.169.254instance-data.eu-central-1.compute.internal80http 23542300x800000000000000025539Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:56.688{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2499D45089F0F71930E043F7DC8EDE7B,SHA256=3EE08EEEB3084A7809ADBD678E069131C1AF0D60C42B259E71FD2C17F087A9B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044453Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:54.714{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51641-false10.0.1.12-8000- 23542300x800000000000000044452Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:56.804{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31246043005E2392F6FCF7B4948AACB1,SHA256=B9D649D890B500B3E7DEF5E368B1A87C3CC22056C5C968C4C58927F6D910FDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044454Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:57.857{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FEE6F78F1BDAEEB48339835690A5D9,SHA256=FD2FC270DB14667B877B55452DF4417EE7A532DBD29E2284BE4337DE79B1CA8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025544Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:57.688{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBF54EFEFDBFAE15004D8CD69DD78E5,SHA256=A6F536D4C97F5F5DBFAD4DBA2D46272CD343D2CB05F8C1F9A67D5AAE82EB3892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044455Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:58.872{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7699D876C3B357DD89C2AD01FA5A427A,SHA256=E65FF3C4E586D71515E96C83EA5F3978C4F4095EEE500CD4C047E6CCB3AC03F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025545Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:58.688{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50484290E57EC7E4136A94D29D9AF1AB,SHA256=DF1B674A8C06B3BDC0A2D0F09094E60945E36D0C7F2CB8257A655617DF30D61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044456Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:59.887{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059587BB3576FEA1EC6841CD57F6174F,SHA256=00D74D37B6A9A810166EC2AB0736F6D7D7AF2EC08A19CC0DB9698D8B59814A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025546Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:59.708{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA70783977E57DC16947B9884C40F7D,SHA256=5C2BB8F087BAA4D7D8D80D0415CFC96AB0F81C023F0A1F10883384B5DD1F0FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044457Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:00.917{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF39AD40EBA744A52597289C491F6410,SHA256=5FB8B32FABD249A26167F06DC85387059AF9C24DEBCE6011E12F6BE23D95FAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025548Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:00.754{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C20FA6E4542A924C65771B7EA9620D3,SHA256=4091B23CA3959999D37997A40CEBA7C46BA27FFEC7ED62E177B9E1DB19CE3599,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025547Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:40:56.894{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50898-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025549Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:01.786{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3179C27940B8812DCBFE5514C58DFF9,SHA256=7ACE87C7201DBD3D33EBD420972A56344024FD3E48E4807C2F630DC54EED9465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044458Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:01.918{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3F1C36389128157F8F3FA47E76510C,SHA256=7E92F4909D1F5596BAAAAA1F9CE92C57985A1112775B37692357C4AD964B7F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044459Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:02.927{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C26F15C0E0105774F72C39F9A3F9EA8,SHA256=BC41B28CB40366A16A33DCBAF037D226425E519767493E5732623275DF1970F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025550Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:02.786{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0F6F970B82E0338C70EB8FF6876203,SHA256=F8B965820B5F9042A703CC30B2DB772AE871964C03E84D7DDD4E8196E063DC8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044461Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:03.945{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7E1757141CEDBEC5543B8627F3E8D1,SHA256=3EB26C561332D4E8C8C52A7C45E21BDE755B0E1EA14670E2A452B7E1C38C3A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025551Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:03.801{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD93D908D6E9A907D3A2960B1D81EB57,SHA256=34FD33139DC444A7C722F5426D404216BAD555247D7D63E833FB44DED309EF8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044460Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:40:59.826{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51642-false10.0.1.12-8000- 23542300x800000000000000025552Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:04.833{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CCCCFD3BD3DAD991755EE6F0BFA943,SHA256=DB1F442808C23034B8A82B98D1A9A3460D7FCFD9BF6DE77A2E704D35FE1EEF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044470Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:04.963{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17F1D9A04F660D7B1305C89A0343A2D,SHA256=A7831DE93BFAD275795AD7F28AEC9040D7CB423F559262596B99353B42B767C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044469Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:04.446{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A70-6136-D808-00000000F001}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044468Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:04.444{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044467Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:04.444{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044466Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:04.444{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044465Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:04.444{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044464Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:04.444{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1A70-6136-D808-00000000F001}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044463Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:04.443{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A70-6136-D808-00000000F001}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044462Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:04.442{323FE7D8-1A70-6136-D808-00000000F001}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025581Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.895{FFF7FB96-1A71-6136-5206-00000000F101}2864432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044490Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.978{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60BDD1D9503398C66E5368C442F53B7,SHA256=E85BA6A633F7CA06622BF7FCB93ED7EB2AC1BB302297B3B1F2E91B68910A6F6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025580Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A71-6136-5206-00000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025579Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025578Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025577Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025576Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025575Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025574Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025573Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025572Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025571Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025570Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1A71-6136-5206-00000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025569Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A71-6136-5206-00000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025568Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.708{FFF7FB96-1A71-6136-5206-00000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025567Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.692{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025566Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:01.992{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50899-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000025565Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A71-6136-5106-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025564Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025563Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025562Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025561Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025560Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025559Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025558Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025557Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025556Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025555Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1A71-6136-5106-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025554Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.036{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A71-6136-5106-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025553Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.037{FFF7FB96-1A71-6136-5106-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044489Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.962{323FE7D8-1A71-6136-DA08-00000000F001}64246124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044488Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.794{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A71-6136-DA08-00000000F001}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044487Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.794{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044486Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.794{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044485Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.794{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044484Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.794{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044483Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.794{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1A71-6136-DA08-00000000F001}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044482Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.794{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A71-6136-DA08-00000000F001}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044481Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.795{323FE7D8-1A71-6136-DA08-00000000F001}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044480Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.462{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ED1F811DAC1ED687846C4B1BCFF94E5,SHA256=7676B066993F69C1E01D6AA44406573A209CCA24678E634B88F4054D9FE5BD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044479Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.462{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFAA33B0B8DB071F1C7E93CE96BFF94D,SHA256=5E0FAD2A0B1BB877D1FAC71CEBECCEEC2C2744DA06DEA2A4E59E4C2F997D85E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044478Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.125{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A71-6136-D908-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044477Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.125{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044476Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.125{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044475Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.125{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044474Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.125{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044473Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.125{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1A71-6136-D908-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044472Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.125{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A71-6136-D908-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044471Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.126{323FE7D8-1A71-6136-D908-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044492Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:06.993{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922D1283AF5224A21B5C067CA57898A2,SHA256=C0A66654D2916B21C867D8C4C8AAD0960539BB87E225C6364B7798670AC7D1F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025598Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.926{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579B55F9AE31E7571085F1B76860A6DF,SHA256=FCEDF25C19B1517CFE97B3D8A9937AA168A5C15F94398D62C85AA4842A5B1651,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025597Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A72-6136-5306-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025596Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025595Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025594Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025593Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025592Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025591Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025590Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025589Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025588Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025587Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1A72-6136-5306-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025586Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A72-6136-5306-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025585Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.380{FFF7FB96-1A72-6136-5306-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025584Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=697812627D0E47C729DEEE89A2593A79,SHA256=6246B8C07370A92F74CAC2145BA51E652A4C5AA15C7439E3C800005388BCFFA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025583Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BDFA0F7F53176DFDB668BF4948C75E6,SHA256=00E1F56D560CE215CD44D1DBA24799201BD5650775734C598DFFA5E20C4299F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025582Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:06.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53D19F6A968D68264140931D64D41DA,SHA256=2C98541E75C038021CB25820A9D7E497C614C807A697EF56DA67053967091398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044491Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:06.593{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ED1F811DAC1ED687846C4B1BCFF94E5,SHA256=7676B066993F69C1E01D6AA44406573A209CCA24678E634B88F4054D9FE5BD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025615Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.942{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E313FACA9BCD7B01F36BC092287712E7,SHA256=88E0D7A127E5E1CDDC387D547D9ECA61CA7DE16762DC0842736D76BD3B694F61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044500Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:07.977{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A73-6136-DB08-00000000F001}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044499Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:07.977{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044498Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:07.977{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044497Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:07.977{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044496Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:07.977{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044495Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:07.977{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1A73-6136-DB08-00000000F001}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044494Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:07.977{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A73-6136-DB08-00000000F001}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044493Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:07.978{323FE7D8-1A73-6136-DB08-00000000F001}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025614Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.583{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=697812627D0E47C729DEEE89A2593A79,SHA256=6246B8C07370A92F74CAC2145BA51E652A4C5AA15C7439E3C800005388BCFFA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025613Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:05.523{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50900-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000025612Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.473{FFF7FB96-1A73-6136-5406-00000000F101}40082980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025611Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A73-6136-5406-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025610Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025609Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025608Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025607Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025606Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025605Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025604Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025603Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025602Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025601Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1A73-6136-5406-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025600Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.333{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A73-6136-5406-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025599Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.335{FFF7FB96-1A73-6136-5406-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044515Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.979{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A596F282BE42007966C6B8BB3064B3BD,SHA256=D7A9BA2DA5DB7F861CBE9603FB8AE2AB48A2D33ED9BA962849CF53A93B89A306,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044514Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.849{323FE7D8-1A74-6136-DC08-00000000F001}1176844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044513Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.661{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A74-6136-DC08-00000000F001}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044512Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.661{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044511Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.661{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044510Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.661{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044509Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.661{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044508Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.661{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1A74-6136-DC08-00000000F001}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044507Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.661{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A74-6136-DC08-00000000F001}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044506Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.661{323FE7D8-1A74-6136-DC08-00000000F001}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044505Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.819{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51644-false10.0.1.12-8000- 354300x800000000000000044504Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.171{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51643-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000044503Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:05.171{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51643-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000044502Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.177{323FE7D8-1A73-6136-DB08-00000000F001}10481688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044501Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:08.024{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49852A91E1C8B9250C89B0ECA8D7CB1C,SHA256=9B3D06280E296A1B8F1D0ECF58879D543488E5B632EC0390737D22ADDA6F3183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025644Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.897{FFF7FB96-1A74-6136-5606-00000000F101}1308928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025643Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A74-6136-5606-00000000F101}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025642Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025641Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1A74-6136-5606-00000000F101}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025640Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025639Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025638Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025637Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025636Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025635Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025634Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025633Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025632Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.676{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A74-6136-5606-00000000F101}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025631Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.677{FFF7FB96-1A74-6136-5606-00000000F101}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025630Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:07.070{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50901-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000025629Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.161{FFF7FB96-1A74-6136-5506-00000000F101}1132912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025628Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A74-6136-5506-00000000F101}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025627Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025626Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025625Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025624Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025623Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025622Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025621Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025620Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025619Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025618Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1A74-6136-5506-00000000F101}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025617Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.004{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A74-6136-5506-00000000F101}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025616Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:08.005{FFF7FB96-1A74-6136-5506-00000000F101}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044533Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.963{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A75-6136-DE08-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044532Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.963{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044531Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.963{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044530Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.963{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044529Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.963{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044528Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.963{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1A75-6136-DE08-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044527Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.963{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A75-6136-DE08-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044526Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.964{323FE7D8-1A75-6136-DE08-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044525Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.447{323FE7D8-1A75-6136-DD08-00000000F001}61281780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044524Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.279{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1A75-6136-DD08-00000000F001}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044523Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.279{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044522Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.279{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044521Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.279{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044520Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.279{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044519Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.279{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1A75-6136-DD08-00000000F001}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044518Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.279{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1A75-6136-DD08-00000000F001}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044517Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.280{323FE7D8-1A75-6136-DD08-00000000F001}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044516Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:09.026{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48DDBDD213F9D6B86CA80364071095B,SHA256=D6C833F175DD548699DC2AD872C6CED0BC19719C4D6B8C56719FD7F428057D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025659Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.192{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFE4DC9017D78E6C1018FC1D5C03611,SHA256=4D3E696F877DF15A58523231B0A3CA1464FDC9A67ACA6BD0ACF25A778424F1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025658Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.192{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E286306C9B0E61BED40915F3230AA7D4,SHA256=14AB72ADF522E0426DFE35DB3ABDAF9D42183E047DA5487252445F183F364F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025657Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1A75-6136-5706-00000000F101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025656Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025655Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025654Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025653Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025652Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025651Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025650Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025649Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025648Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025647Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1A75-6136-5706-00000000F101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025646Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.176{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1A75-6136-5706-00000000F101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025645Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:09.177{FFF7FB96-1A75-6136-5706-00000000F101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025661Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:10.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F3A4CD910872A4256F9A89F63F050E,SHA256=A853CC4B90DB37EB6E9472ECB80F378221512004557AC7D3597897B167BF54A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025660Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:10.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A53EAF56E4345CF96B1B6198AE4E0BCB,SHA256=3C48710094C1CA61DAB54ABA059E14474600CE72A22EFF60743DBF3E9B7726D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044535Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:10.284{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53AF0CA5DDA216581CF60B383F4CCB66,SHA256=CBEEEA87ABA3CF5D231FF2F01F8DE5AEE70DCEF01F4F2C81E49BA07DB8305268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044534Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:10.053{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D3FA9EC8082FD19B5C0A78FC51D88F,SHA256=096516898E8245F50BAE07053F65BB3CE6219836B956627CCD3238E2E7ED2147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025662Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:11.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF0211D1AD44AC024D9C6E0E11E6326,SHA256=BC6CD68C23BABD4BEF2CF9066B4A403CE33D68D08EFAC57F6A052312EF2D56BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044536Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:11.068{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245501849D210A0DB23DDD3CAFE4F36B,SHA256=FF465F59D965C2CA69DBE825DE3146FCDEA34725422053A0A908F9A771DE53CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025663Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:12.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4954CAFDFFBB763E1F9536E96D242C,SHA256=EF864424D9B6EB2CB276BD1EF524A39339457423066A47B0BD8AF9AAEF01B405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044574Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044573Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044572Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044571Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044570Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044569Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044568Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044567Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044566Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044565Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044564Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044563Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044562Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044561Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044560Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044559Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044558Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044557Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044556Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044555Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044554Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044553Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044552Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044551Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044550Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044549Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044548Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044547Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044546Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044545Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044544Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044543Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044542Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044541Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044540Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044539Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044538Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.298{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044537Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:12.083{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB65915A558BDD121D83E09A06A2CC17,SHA256=9FB5BE11563300DF8EE750A7544B882196206B0611713F65FE59829BB12C0FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025664Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:13.223{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA3F8D4EEAC69C3C239416DF6BD0599,SHA256=A0BF4447EBBAE52CE5117223E462886C04FA82A32B96E21AC9E521FEFF9D436D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044576Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:13.229{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7272AA64E800EFD1D833CB060C08FE4F,SHA256=AA75A922F5BCE5408B91533DA6B7EAC11ED2F0B622F7E58AFA7FF7B95A24E5C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044575Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:11.660{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51645-false10.0.1.12-8000- 354300x800000000000000025666Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:12.913{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50902-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025665Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:14.239{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39578163F5A5F90E6D7042E3490B343,SHA256=B52C8BD715EAF1A4DAA2C198BED1C216F77DC1E1FA84761DF6DB2FB2E308CA7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044577Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:14.150{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21BEC487A45CE4E4263EE454DD9C626,SHA256=B7FDE824FCE3BD9DEF8ACBBCCA4BEC0E12C242FE10AB1A83F2B0DFB0595256B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025668Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:15.491{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-092MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025667Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:15.239{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA32DB972ABDB9A11A787309F31D7FC2,SHA256=45ADEB603E255ADF4B88C1EC6CEF18D9655E254CBD6D00A475646BEC54290506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044578Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:15.165{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D71A375B79AC7C2C00F32EACC3B4B7,SHA256=FDB9AC535A8B0DB9A5ED363C1EBDD2D7ED238109DF8881E8C6584D75B307BB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025670Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:16.504{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-093MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025669Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:16.253{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD9B1507FEA4295CF4154C05A893B36,SHA256=88D23B8F1070FAB66326B3DCCDF565A09431367511B876C0A23EB9682DAD89FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044579Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:16.195{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE688ECF1D5779043690BD533D53A8C,SHA256=D06F0F161FF7DEA76A0664B21740E22E5A318D46A72F00C98FE57DD650C95F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025671Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:17.286{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809EC2BEAF019BE1C8C4BAB5B1452F3F,SHA256=D3BA602761C8FB1B685EF8E75B01D8966A107851F61C299130E037B46ED90052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044580Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:17.211{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556C8704CF16EACF4D868CB404B0FF58,SHA256=A20E7E26A77F5CE75558C9DFF9042E93D43AC447B6455F51ACB221763C1927B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025672Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:18.317{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C242B0720D52987F495D3B535121455,SHA256=BF0A355EB6F7A853664B83101BA7057184EC91A64CD9B68F7FB02F2097553962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044581Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:18.226{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC29B68831B0CF860611658F7CD0634,SHA256=CAEC2998E8BD416397410F570BA4F3522D49EBA303758E0A1E327F2137067FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025673Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:19.344{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D35C4952A72080A3A2FAEADB74D8108,SHA256=EAACBD597A9134DEB6F51FF4056B389C9506BA4E22613FB63400E6A00E21AB5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044583Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:16.719{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51646-false10.0.1.12-8000- 23542300x800000000000000044582Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:19.263{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3122D56D37FF2807AC728D85C60F026,SHA256=ADFA109C45A572D4DBBB6000FF5B2DA8C08560C0E8B7F9565A8CAD7578C47755,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025675Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:18.909{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025674Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:20.359{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67236880F60FEB848F7D7D25038AE39,SHA256=FE4525AE0903162559BE251C789902BADCCC8733BDC3E127FD0EF66DED0FE121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044584Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:20.278{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8297190046309C0BDB58EE25ADB61112,SHA256=433A268FB1C59C2E43222BD48BE46FBE99C5A1EDFDE874357671E531326666C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044585Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:21.293{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CC4C39E6350B96176F8355A6594F89,SHA256=0658E381E23F9EB93A3FD8C57AF94EB788CBD3F4AD18FEE2A2A285E5B2F6E33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025676Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:21.391{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32218DAA1830A315B7878903635637EA,SHA256=B8C7DCBDA9E11D37BD4A0C57014ABB539A17788EF710C15C8ADDE776C19EE8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025677Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:22.391{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF98AB79876CFC429B51D40EED2A6CCF,SHA256=27F12A4B6F6A2C3762D97A9F070CB7C9B0F448676F687D85A7A02DF579380E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044586Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:22.307{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738C6D46763DD64B444E373FE62A5458,SHA256=0686277F541BED1FE1171CE2CB9E3E6AEA97325A5298CBD315CD8DF1C8522224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025678Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:23.391{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0EB5C453AF4463899302F77B3641E7,SHA256=C3BE00369BB2AE708461F1076B4A294411C2B79B410E6269F8EDFE72965C617C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044588Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:21.753{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51647-false10.0.1.12-8000- 23542300x800000000000000044587Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:23.341{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474061E2174EA6C29E8FBDF658E69B08,SHA256=9499DCE2377C550A4B8B0C5CB2469045C31CECAC812C6CBD6B5DE196F843F775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025679Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:24.437{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A700BB1DB46578AC700F7386F6F33BB1,SHA256=212DF1E5BF7BB3BC0ADB73B54ED2445DCB5CBFF627DA9615869BD0A8D418647E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044589Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:24.359{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB0064D40754179180A0BC681D4B617,SHA256=D75356D0ACF181C637FE238E2267BC326C679C6361CF70435DB977D426F5D3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044590Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:25.389{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402B640EA96FEFC016575D55EC949857,SHA256=550F5B58C0343E521A7E69FADDCD0664C18F6FB0378246CCE4E9B2E9C9B8C142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025680Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:25.469{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26660909BD3C45B1B2F27B10AADB157,SHA256=C65C273EE63A89399DF794013F9B979BE76CC99A423187FE2B4708282D1C5EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044591Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:26.420{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA83E42022EAAD02E124757956867E6F,SHA256=4CD4F45DC8ADF19A82192A590FB47474F8349467DD8CFAE55C5A4CE56390FFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025681Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:26.484{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A934A8F9A0FC34C3EECD4C59D5AA6976,SHA256=C688A113005EE0A211290662182CD58C04B82D52632813E011600BDD234E0029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025683Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:27.500{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4579176A0B6C9AADB1084A4A2A2874E2,SHA256=DFD127D4391B39A84B5F6390AAB5FC15958AB332FB6BE56BE0275D395C80120B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044593Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:27.440{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA53C046CDBB9AC482200DD227A12DA5,SHA256=644A7A2CE9869A90C44703BF5F5C9BA4951FD0D05682AD7411F3803B23B20D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044592Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:27.160{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-100MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025682Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:24.909{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50904-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025684Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:28.531{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1114CAA62FA9B536E3601F3744D8B2,SHA256=97D564D7755ABA2800561C25335F72BDCAAF193829D2AA6304BC824A1F8F5298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044595Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:28.457{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40195C295493DD8D64A48F23DBA0C3EF,SHA256=0A505D951D617C375936F77E31A11E1F286394EBFEFA021F1E9C72583C65CE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044594Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:28.174{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025685Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:29.562{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438E26B00C7AE5B2121C10FDB6B8CEA9,SHA256=1BE6672260F608F046D71A2D1143FED0936F7ADCDE9CD482CF1732DED6C49322,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044597Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:26.832{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51648-false10.0.1.12-8000- 23542300x800000000000000044596Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:29.473{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC68C818046721219258B0C09AB4B65B,SHA256=8C57B3B1CBACAEB0FECC2CB2CE28EDE985066C02E8E5577354540CDB72575EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044599Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:30.487{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73BA62F00F0791B9291E8A8EACCA915,SHA256=196DBA916A913369D5FC2AA2582BDE39CB33A5AD73F59CF52DBBFDF0369B9C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025686Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:30.594{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7B620772A90CBBADC739D17AA7727E,SHA256=A9F293CC561FAB5D4DB8CD441E2BC267B20079DDEF72CBA6F2F2C4EC43FD5135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044598Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:30.219{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044601Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:29.796{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51649-false10.0.1.12-8089- 23542300x800000000000000044600Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:31.503{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5250035668A27166A2781F016C03D6C7,SHA256=1B29495DBAB59706954E35E82618AB4DF223603F389044CE0E8C66DA8B21B188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025687Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:31.594{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71E984846045E04C1DFAAD0B0551FAF,SHA256=8BF96C46EE6519E64B924C341FCC2CE4C0BF708DCE7058CA77B8B0D9E5562F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025689Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:32.594{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F923A2D8162AA44AA300CD120B32862D,SHA256=38234A511A3F282BABC078B5C52E2ADB5C42D60BCA3C1FA1A6FB24063B440697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044602Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:32.536{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE830DD5463BDF931293FE6DFF93B39A,SHA256=CBE30917B12BB20D010D10DB3156C51500F8362F9F1CCD58F20710BF8B9D09C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025688Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:30.893{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50905-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025690Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:33.609{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E571DA31750E32E5421D546921F0729E,SHA256=131C4C2216B8528CAA38BC05F5C263F6F03FE77385C3B85A86B68D9FC3218589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044603Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:33.554{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0071C3651BBEA58448FCDDF8374D3A22,SHA256=DF5D5B32422C870A49E339AA993E7440C8C495736DA5D1CC7CCB674F52CFD219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044605Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:34.569{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B51AE7989F06E7C42316CFDCB48D4BD,SHA256=F3E17E6DD00503F337A78C1C2447B70337AFD8AB942EE13011BB2E8E4EEE393F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044604Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:32.747{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51650-false10.0.1.12-8000- 23542300x800000000000000025691Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:34.641{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E5680EF70CC99BE48B97FDC6BEE272,SHA256=5957EE0D955BC86EBB48405BCC5400E1359618F9A77131B962F447F27AE17657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044606Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:35.585{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500AD30AB4E45309D112346B4B5D07F3,SHA256=896D7B184217A8983144B697656EC6D6AECBFAB9707562C7F0A7D42DC1BBCC1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025692Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:35.656{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6DF8135E40AAE2132E260191943754,SHA256=314415A75B8E67E8504F914AE559E3C80B1DB0FB2549F4C99DA3B2FBC39DD39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025693Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:36.656{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488395E80EF5E221CCDEB3A735331460,SHA256=F3E6F36EA0F76795A7EBD383ABB10DD0952C7C3E530F8F5B5E84702B8A4C4F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044608Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:36.599{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B7F760B34B13310E30BBEEC3E93AFC,SHA256=C5B4A6B9A8DE4EEB612C14883BC172358661897524345179C006D5E514525417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044607Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:36.215{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=52223B67D35EC82F75F8A312495C4BFB,SHA256=9690FFBE32BC8BD4F560DBB6E4B965E2F4BF6D929BA68BDEE7E185E45E966B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025694Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:37.672{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741B607AB5C1180485C8DB6C96C4559B,SHA256=0DD7AA6C4180A7FC63D51AD53AA152214411C24D565D57B220F84377E542064D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044609Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:37.615{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84212C7BADC97DF7C186A650C3E51BA,SHA256=A796D8127CBC561B1D6F9A126346BD392DE6862C4571A38171A786526374AB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044610Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:38.633{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EC17F98314010F325CE87C56117ABF,SHA256=936F98B613839A7C7739FBFE0DE26426E1288A0B19EE41FF0F8C3F86B0D004E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025696Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:38.687{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BD5A30B6395A5B1C3B2149B065F2D8,SHA256=D347B2484760A92CF08C94CCD0A9682DD0B8992906653D49572B014E189EC863,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025695Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:36.081{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50906-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000044612Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:39.729{323FE7D8-022E-6136-0D00-00000000F001}9042288C:\Windows\system32\svchost.exe{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044611Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:39.651{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A71E35686404F7283D0AC49ECE39F7,SHA256=C2FAE61B54BB99C410A23E4DAA195C5B9D7120B6F2A7EEE254B388A5774626F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025697Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:39.723{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5314098C7D0CD97E9931AAA859E80F4,SHA256=6C63BE9B12763032BF5ED805A6E0A14FCF1AFD9E2C91DF5D7FAD500EF5E1CC8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044614Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:37.827{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51651-false10.0.1.12-8000- 23542300x800000000000000044613Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:40.713{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ADC6A35B7113446AC6ECCA20BD22C7,SHA256=E39672EBE3A84FCDEEA6E3A2BFAFDB7932B7D678063608D1AB13C0A9871CA777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025698Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:40.723{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA9ECCD87AE4D5906282482FA006E58,SHA256=650AA37E9D0F368B7BA942E2C11642524ACF0C7AE732F2FCF27E9335DDADF930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025699Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:41.786{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633BF1D6AD9A4EC2E02A6C0B17808DCB,SHA256=C402D54774A757AE05AD39C3A5B4CA05C7A3A35828BC27EDD1E1AC052C107A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044615Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:41.731{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EFEBE0D9FA059F2A21830986FBE30F,SHA256=154D0A8745BA6E29727368E2389BB3B5E46A04F115DC55C2BB2101707B6528C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044616Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:42.749{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3322BCFA599E6C78C875334FB4AF82C9,SHA256=6925722B5D80490FB1658B4A1353E624368EA62401DE388EF6A7A40F21C70BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025700Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:42.802{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A9C6E16226539AF2A810666A2AC819,SHA256=F598019F31644B5C7FA5B65E922C37EA9A27FE8B0F0DE011AD584040CEEB0AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044617Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:43.764{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22C16F2D18721E2408325F893D214E9,SHA256=E8EF059DE8DD314B99E482F3E58231BDCCBD5E9351E2DB78E81980F1B786E18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025702Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:43.817{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507CEC02BD327F7A50A6E54148AB9137,SHA256=C3A63A9D5A6E7B3D5C6A27949A098CDEEDEA9CF12ED7E81EE13B19D3ADC2EE7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025701Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:41.898{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044618Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:44.779{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4FA3D7FC7E681964D5B5B5A3CD33F3,SHA256=B656E00C5C475F3A5C97268440175E2A95B8217A3BBC58BBA321219CF3970842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025703Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:44.817{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A28F36D242BC4C7B68CB6F3F36C3C16,SHA256=4A4CFC39C6C8266E962112B2F56033FB9D72577BD56E35D0C82EB8C7CD12AB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025704Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:45.833{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC849FA2EFDB6C280135D9E869436C7,SHA256=EFBF3AD740434DB453B7991FB82C9B4D3CA3E5287ED819CD4439E2F5CF08FB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044619Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:45.795{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B644D99250F0869ACE144CA68AEBF06,SHA256=6904B895F9142FABA1958A82DF0852F301EF4E2500D7CC543A31DADD1F00D4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025705Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:46.833{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07A30BA2C3097654A678A42D4587534,SHA256=E56A175E50B6CF9F730AEAB6A0E1EB51C2F3387684471733F68E593D45B43E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044620Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:46.810{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963494D9E4209BBAC591CD0A5F942FD6,SHA256=EE82F6D5161D139FCEC2A2159D4D4C953CE074CB66692C70ADEDE6CD710C2194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025706Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:47.880{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C0DD0407B8DA94001EAA7F4EB5338A,SHA256=AEBC53923F7F5DCF77F8A0AFCB3B3992150C61E1389A005AA92119771686120D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044622Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:47.813{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D810264905315F5B79072CC2BBC886,SHA256=CA965946553428D0E26D9607AE6D5B8FCA5EBEFE3E9ABC59209185771C8195CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044621Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:43.719{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51652-false10.0.1.12-8000- 23542300x800000000000000025707Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:48.880{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D4E416F199E32F3FF538E119FA6F89,SHA256=599C158E28669ACF0898B1EB242EBD40764E8C0A3B9B8D39C9447B9994CAC6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044623Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:48.850{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB4657F4E5F30F852A47CF10E9CCAA2,SHA256=905DCBE22BD57DC5D4E0B427FC4E45F81EE59B05DDD3B560C9F0D0BCB3CAE495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025709Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:49.880{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054F298A7BEB1555866A54A62CCEDB11,SHA256=63DF5104025B5552E91175E7C45E4CBC1575AC509D3116712A0E730FF8B64109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044624Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:49.865{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98EE4648CBEC6E232B76C87229AE01A,SHA256=D56BE74B12C02A7756DE81A57DBD09283532226E0913FBB0C3FB9B8274F90D32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025708Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:47.007{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044625Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:50.880{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88413A687C2B29A9368F8257B7639A6,SHA256=F6E717C7FFCBE2E72E24B01A33E7E20A3BC2F4CBA2F3D0492B2495DBD37F3F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025710Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:50.911{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A1C10B3245E9503F79A8C179436B55,SHA256=38C57A88A9907D3A21761C79D667E296A8C08C03FC805E17F3DFBC5425E85582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025712Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:51.911{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1B525BDDA88B3701E6E08573AA5B4A,SHA256=BF1F4D675F2067CADD11F26C856EEFDBAF57376804631DFC787BCB7C1061EFDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044627Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:48.724{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51653-false10.0.1.12-8000- 23542300x800000000000000044626Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:51.896{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DED31CDB05854E290F9D55AAE083B0,SHA256=C4369B4E993AC9BCBFFFDB016BA1B3C43A287E42C3FD5199E43016F8B416736A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025711Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:51.598{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=75B0DF5E25E0C0981503E17DA74F9515,SHA256=516D6F4FBC0870728A245B614B19C6A3308F722183103277CA0E99D832458626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025713Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:52.927{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97C4FA1104E00D70986391ED2AA9973,SHA256=9537A9AA0B9C2693DE7207888D529319CBB2A1DE80924CE4D10BCDF1E127BAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044628Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:52.911{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4521597A5A6B0D8D9A3D218A79AD90,SHA256=0D4BADE317E9D2C99354B987F08861FEA55AE0381ED12C273CCD8E10C5AA3C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025714Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:53.942{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4695F7302C6CD54C7C084E1A1845F52,SHA256=BAB37F739741A6EC30B8CD974B618D9A25E635E93DD438F3CE1EE569CB0BA417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044629Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:53.928{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A738890913CE7EA5D18136D01B1D5579,SHA256=B756DC29D21D95CA0693043BF177A59FE95BBBD40187E1389DD7439B83E079FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025717Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:54.973{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014DFADCE23FDE1B7F78E80F75A32A33,SHA256=78BB41EE1ECC6938513F3F2F699B92DF3ECFCE42D4B2655DF0CCD51A6FA69A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044630Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:54.947{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D53857D6BBEB18B1FAD3FE5D9EEDAD,SHA256=D63219137622E0049458282E7CD0A6B68D6645111369AEAD1EA03E2156308B7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025716Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:54.223{FFF7FB96-041E-6136-0D00-00000000F101}7883500C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025715Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:54.223{FFF7FB96-041E-6136-0D00-00000000F101}7883500C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-0F00-00000000F101}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044631Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:55.962{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB6B5FEE765886649E1B9A985F7E04C,SHA256=20AA87FD3BC0C86096071B31DACD762F625728045FD20036AB824E9063A7C95B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025718Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:52.960{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000044632Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:53.818{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51654-false10.0.1.12-8000- 23542300x800000000000000025719Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:56.005{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABE51C9055580465B58BC4B99B73B0A,SHA256=94AC7C550CECB329F1F33EDDEA8A686541ABCAEE458E93F043CD5585204C5F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025720Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:57.036{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5BC739AFA458E1435CB53CEB6644B1,SHA256=9A2DB68153EDC285224B16F4FCD3345AB557BCBD76C7967127A7F2EB88095E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044633Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:57.008{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0190048AED038878AA0499185EB2D6,SHA256=9E374CD159D1220D7E3F38B8D80467BA07E7A93E2FB4BE4ABD410D9B66A8D1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025721Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:58.036{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2F7E86625D7935A2CB3FA23786B679,SHA256=49DF08AB1463EC87E6B0DBFAC031A246A8117E5459A81051A34DD01D688E32CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044634Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:58.025{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780B2653E8254C091998F41AD3586234,SHA256=255D2B971531E7BA44477ABF251E0F40A50315A6EEAD1ABA1865068DD6DA9877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025722Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:59.066{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABF951948B8828FDADA44FEE9E26FAF,SHA256=187421C21A9534C59A798E2FB36649059906D1DB2E19847959C1E4500C8DB276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044635Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:59.045{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C815DA5091FECC71A7F7017B7DBDE36A,SHA256=E1ECFA244C07216DB6C79B2242DF8575475E907E6CEDE1D5B3F06E2EEACA7600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044636Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:00.045{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8266F93F14E8351D56915E314DB69C2,SHA256=6395FE1897906D4AC1741B2A916784FF3001B318DCA86353EB8283B52D8F5E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025723Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:00.066{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDAFE2CE9E0B300A62EB7C09BCF9ED2,SHA256=139BCB01F2C6172361F3C164A96285C7B312CA301572F3F77C50FFD7C25FF4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044637Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:01.060{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D0571AE54B5E37BD13F74D1D571B4C,SHA256=37E1501853A22FBCE523BA4473025536D27362BB814DF212AC0E0E68F1FC5178,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025725Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:41:58.959{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50910-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025724Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:01.129{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225B5C5D83994395373FD3C6CCDF7CCC,SHA256=429EC53CBD0F7DDA774B4FE59EDE8BFF126096F259B033637008FF70E6BD5EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025726Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:02.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D9783648FF1A66E94037D9F9891A46,SHA256=0D3644CB0628A4C03AA449409CC8FA6F75CD68D4E78A93C5926B5296CAAE522F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044639Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:41:59.768{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51655-false10.0.1.12-8000- 23542300x800000000000000044638Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:02.074{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4665535F1D94AF979B4DAE3222861223,SHA256=E85B8F6F4514292375D9BD38354B27334C79B59145742B21F1E72955E264830A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025727Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:03.207{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF13622DDA92ACA85ABC02A8AB477CC,SHA256=6536B4085D511144CCB056CA481F955B89F61364D232D7BB7708CE14FFD6E228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044640Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:03.105{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C2679B6B3302AC7EE4177C51C700F3,SHA256=61F214C4AA94013804C5F6243235DFC97C3EE7AD6C5B1FF38AD7AB103D251D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025728Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:04.222{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A7134430F083BF42C85102A76283C0,SHA256=9C41D670FAE4F59D9E81AFC0FCA38933DC1E1793095801E92AE48D8E073053C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044649Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:04.441{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AAC-6136-DF08-00000000F001}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044648Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:04.441{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044647Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:04.441{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044646Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:04.441{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044645Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:04.441{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044644Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:04.441{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1AAC-6136-DF08-00000000F001}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044643Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:04.441{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AAC-6136-DF08-00000000F001}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044642Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:04.442{323FE7D8-1AAC-6136-DF08-00000000F001}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044641Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:04.122{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B8E9D0CE7EDD5A44153682B4FD2179,SHA256=8A58873D0E7D033C57BD78D4F33F4E2BEDF51C8B45EE108B5D4B2FDAE08DCB05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044669Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.711{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AAD-6136-E108-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044668Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.711{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044667Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.711{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044666Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.711{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044665Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.711{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044664Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.711{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1AAD-6136-E108-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044663Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.711{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AAD-6136-E108-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044662Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.712{323FE7D8-1AAD-6136-E108-00000000F001}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044661Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.442{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D3099CC7923E2F0469E897B73534C87,SHA256=04ACDB12F0D0E70DC6C8213AD4EFA4E3A92A0555C5041FB875F871FCA2E828D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044660Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.442{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09F6D627D949A1F2D11E09352E7503D0,SHA256=8DD1E7002E752163757898FDFA912388E2DC64624A9B1F7959636959089CCBD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044659Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.342{323FE7D8-1AAD-6136-E008-00000000F001}6285688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044658Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.125{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64628117313416D030DA521EA174B30,SHA256=173615776FD61F87CC7D42AFEA5253E1DF85C12C371636328DD513A7BB8B095E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025757Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.722{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025756Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AAD-6136-5906-00000000F101}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025755Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025754Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025753Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025752Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025751Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025750Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025749Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025748Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025747Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025746Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1AAD-6136-5906-00000000F101}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025745Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.707{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AAD-6136-5906-00000000F101}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025744Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.708{FFF7FB96-1AAD-6136-5906-00000000F101}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025743Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.238{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E7321813C45E18C0516E5AE7555D26,SHA256=001BD29F991302A5D98685357B1C75EA3450EF813AEB603CA47F039F491C9CF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025742Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.222{FFF7FB96-1AAD-6136-5806-00000000F101}26482784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025741Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AAD-6136-5806-00000000F101}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025740Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025739Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025738Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025737Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025736Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025735Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025734Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025733Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025732Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025731Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1AAD-6136-5806-00000000F101}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025730Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AAD-6136-5806-00000000F101}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025729Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.051{FFF7FB96-1AAD-6136-5806-00000000F101}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044657Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.040{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AAD-6136-E008-00000000F001}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044656Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.040{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044655Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.040{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044654Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.040{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044653Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.040{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044652Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.040{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1AAD-6136-E008-00000000F001}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044651Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.040{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AAD-6136-E008-00000000F001}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044650Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.041{323FE7D8-1AAD-6136-E008-00000000F001}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025774Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:04.897{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50911-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025773Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.347{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39965DBA724F385D5B1B0C9220A465FA,SHA256=A685B737449871AFD9805A8C59814CB38EAE6B1F4669A6D7B6FA588CE0AC11A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044671Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:06.612{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D3099CC7923E2F0469E897B73534C87,SHA256=04ACDB12F0D0E70DC6C8213AD4EFA4E3A92A0555C5041FB875F871FCA2E828D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044670Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:06.161{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116FEC2EE3A6C2A42F4A9C8C94B674D0,SHA256=817D9F4F866BDCF863FEAE43EEBEEB89200FE2FA47B06E62A65D52DA0B2DB7F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025772Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AAE-6136-5A06-00000000F101}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025771Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025770Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025769Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025768Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025767Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025766Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025765Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025764Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025763Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025762Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1AAE-6136-5A06-00000000F101}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025761Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.207{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AAE-6136-5A06-00000000F101}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025760Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.208{FFF7FB96-1AAE-6136-5A06-00000000F101}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025759Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=762873D70575AF41A5E559EC739C1A96,SHA256=9BB029B8DD117ED3CDFEE1A7804CEB2C3071AFD6C280A4EF117A46BB3645BE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025758Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:06.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1379DC2AEE765EF9184B961A5173DF68,SHA256=926A5623EDDACDAA8D2B40DFC2058053B28946798C60D888AD94611CEA6C1EBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025804Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AAF-6136-5C06-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025803Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025802Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025801Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025800Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025799Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025798Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025797Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025796Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025795Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025794Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1AAF-6136-5C06-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025793Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.832{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AAF-6136-5C06-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025792Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.833{FFF7FB96-1AAF-6136-5C06-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025791Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.535{FFF7FB96-1AAF-6136-5B06-00000000F101}26403588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000025790Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:05.553{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000025789Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.379{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=762873D70575AF41A5E559EC739C1A96,SHA256=9BB029B8DD117ED3CDFEE1A7804CEB2C3071AFD6C280A4EF117A46BB3645BE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025788Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.347{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A910ECB42B26E32EA9EF96A79F3E96C0,SHA256=D2424398EF5AD1672C2BA5510633F2222D2B2316D65D9A5DDA2F1C5A5B7A3B00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044682Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:07.991{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AAF-6136-E208-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044681Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:07.991{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044680Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:07.991{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044679Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:07.991{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044678Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:07.991{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044677Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:07.991{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1AAF-6136-E208-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044676Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:07.991{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AAF-6136-E208-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044675Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:07.992{323FE7D8-1AAF-6136-E208-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044674Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.189{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51656-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000044673Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.189{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51656-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000044672Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:07.176{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA768826B75158C50473F6BE8B82DC49,SHA256=E0DD380F50468442EC10180AF867E74E0CF0EC1026739658737467C3DE7A18C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025787Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AAF-6136-5B06-00000000F101}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025786Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025785Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025784Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025783Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025782Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025781Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025780Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025779Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025778Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025777Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1AAF-6136-5B06-00000000F101}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025776Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.332{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AAF-6136-5B06-00000000F101}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025775Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:07.333{FFF7FB96-1AAF-6136-5B06-00000000F101}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025821Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.832{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3C1239BC63A04B99CD5AD34AE6E462E,SHA256=BA4986BDF4F4E1C7C49A2ABBDAADC5514C55867455C561A4AC62EB3A9017A803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025820Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.660{FFF7FB96-1AB0-6136-5D06-00000000F101}33003416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025819Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AB0-6136-5D06-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025818Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025817Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025816Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025815Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025814Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025813Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025812Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025811Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025810Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025809Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1AB0-6136-5D06-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025808Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AB0-6136-5D06-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025807Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.504{FFF7FB96-1AB0-6136-5D06-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025806Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.347{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C27CC8ADEEB063184656222F94892D,SHA256=DFCB3A0DA38BEA3FD9681E12F031393CF671D951A122E0F3F171A3EBC6E68010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044694Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.813{323FE7D8-1AB0-6136-E308-00000000F001}32964984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044693Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.660{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AB0-6136-E308-00000000F001}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044692Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.660{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044691Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.660{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044690Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.660{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044689Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.660{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1AB0-6136-E308-00000000F001}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044688Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.660{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044687Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.660{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AB0-6136-E308-00000000F001}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044686Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.661{323FE7D8-1AB0-6136-E308-00000000F001}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044685Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:05.754{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51657-false10.0.1.12-8000- 10341000x800000000000000044684Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.260{323FE7D8-1AAF-6136-E208-00000000F001}67083368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044683Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:08.213{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86102FFEFCB40F5882B90B0CD31918E,SHA256=C5E28A39EE3470268E74FDFC7563982708060FCA343ECC51758D0A77829E9B3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025805Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:08.004{FFF7FB96-1AAF-6136-5C06-00000000F101}9882960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025835Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.660{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAE87339BA3AFDFA870EF3212AA7A41,SHA256=48B4A75BEB1104AD73762BE86D9383EAD044F8D1AEBCE1400B97691676618826,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044713Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.928{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AB1-6136-E508-00000000F001}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044712Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.928{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044711Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.928{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044710Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.928{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044709Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.928{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044708Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.928{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1AB1-6136-E508-00000000F001}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044707Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.928{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AB1-6136-E508-00000000F001}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044706Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.929{323FE7D8-1AB1-6136-E508-00000000F001}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044705Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.412{323FE7D8-1AB1-6136-E408-00000000F001}64244376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044704Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.244{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AB1-6136-E408-00000000F001}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044703Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.244{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044702Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.244{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044701Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.244{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044700Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.244{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044699Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.244{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1AB1-6136-E408-00000000F001}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044698Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.244{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AB1-6136-E408-00000000F001}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044697Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.245{323FE7D8-1AB1-6136-E408-00000000F001}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044696Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.228{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C67E4D7EC4DE862FA1E9FC72AC6F84,SHA256=FB58065B0F1C05865333BB4640594416FF45A3ADD883AC560597D5C7E88F0CDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025834Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AB1-6136-5E06-00000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025833Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025832Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025831Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025830Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025829Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025828Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025827Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025826Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025825Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025824Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1AB1-6136-5E06-00000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025823Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AB1-6136-5E06-00000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025822Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:09.176{FFF7FB96-1AB1-6136-5E06-00000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044695Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:09.010{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E3A56DB46CB735B22F8511086C36BAB,SHA256=B20B209F7E8E0A09CCDB8D43C823D3FC1C37C95977DCB063C1CB17C8C6641B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025837Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:10.676{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8CA343345438A732BD26A79EDA2B0C,SHA256=45DB8259BFF2AE3D97B921C8DA9EEB416203DA08A01851A8B4F584D9D9842754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044715Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:10.259{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C353D164C56F5A73D6C6D28FFE3BF1F4,SHA256=0DB85AD8D9DB24930E4E85094EF05B6DAB3FC02D1A248CEF36435751F357C44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044714Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:10.244{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE80D3089B62ACCDE3A28EDA629EE83,SHA256=D4F97EC587C166A1B390850D1C1345EDD2E2A9ECEB6A0DE1C78CFE22CCA5B116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025836Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:10.191{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02461CBC331006C3111DC0698C122B19,SHA256=AA7839AF783495EEFD0D6EE707153FCBEEFBCCE683A470229B203F2F497E8BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025838Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:11.691{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDA1AE68B09AFD95EBB2D64132C83E8,SHA256=00E84613BD5AB3BE28FBE4E860CE8B3D043909B49FF13297892E4536C0FBB211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044716Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:11.259{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4208189E3DD0CB1B3E2D728C3F3F85BE,SHA256=98B17B9F72923A834DE49EB23DFC834547F7DA1E65A6CC841A9EF6A96E504134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025840Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:12.707{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039C6BE84C79698F7E066F78A7212439,SHA256=7558709CAECDEABE4FAF91DA7589EDF8415B2928FF0C51C409403BCC1A8F8477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044717Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:12.274{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97034157DEC2533266662D09319DF18A,SHA256=CA775F819CAA978A917BEA14715E1738F324AF5AF98C8AD2F4372179D822CD5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025839Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:10.084{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025841Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:13.754{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8CEE597CDC1F1CE4A05DB7F4FC8152,SHA256=3B21A77248AB8558E1D3B0DDCDDC62F532BC076F71D18AAD74C888BF4A0E9D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044718Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:13.308{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30EAD718FBC8364927B4ED2DA88914D,SHA256=474191BF9E7F43E2C0C01D73CCA829C3DFDC718CCE157A5701CA4CBD0874E667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025842Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:14.816{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D009DCAD1D86EE39FCEC129D0FE8AC,SHA256=7BB27E016ECB0AF4490E6FB6D882B62A3B0B26902B8C20D3927ED3376B35C41F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044720Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:11.751{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51658-false10.0.1.12-8000- 23542300x800000000000000044719Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:14.342{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B998CEAE1774E03225890C5140A9A113,SHA256=ADCD5482AD161890F3D259367EF541BB06FA41C74B17FC6CC18312374058B820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025843Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:15.879{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881F87BF96422ADC2AEC263AB5965E76,SHA256=74069A411B9FA42962E4B3965B0754DAF3C66DBF7BA2686A97D4C5C71F1091D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044721Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:15.373{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2B8D1CA2196398E27F2280C05A9269,SHA256=382C4AFB8DFE7AA4692297D085C94A9050C6142C6F2892AB1BFFBA0F98D03BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025845Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:16.881{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F496E31D84DD8D1DE93AF86D78867D5,SHA256=4C5D2968C0686F8E53D1A9ED0B798208543D6512D4818BC1D3DCFA0222D28A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044722Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:16.406{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1B451B2B4844E1488FF1049596755B,SHA256=748D88AC9F8098DED541749D7502B89EEBE13D96C3CB8C74654C0FE6F2DEE8CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025844Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:15.085{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50914-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025847Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:17.896{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F17E1717145446D0683BFC916DB19A,SHA256=2DA5685F2D6E977384F6595C1BE04FDF291CEDB5F7E70FBBC52B39FAE08E3955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044723Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:17.440{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E75FC6070C122F5661A4A5C16DFF917,SHA256=7267945A6A62DBCE12F229F060FC57DFA533216C57E5753DE8896519A658C611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025846Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:17.024{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-093MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025849Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:18.908{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C9D6336A0BE3E6A34D7963C470377E,SHA256=1BBB1835FC71BFA7114A4341AD7CF4D2DE1B1BC6CFDC5C7388C55259BA6E38A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044725Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:16.795{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51659-false10.0.1.12-8000- 23542300x800000000000000044724Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:18.471{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494C11A9DA4FAF390DE6EA5758737E66,SHA256=30DFC59B32CC336EBEE0EB23A8664AB388F97A59CC3AFC0426E441882B587D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025848Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:18.038{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-094MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025850Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:19.924{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFBCD44883AC518A010EF6AC1BD3484,SHA256=F6EF447EA0517B9FBB64FD9AA35C2F8440CAAED3D69C5431B2F7C0A547AAEBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044726Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:19.486{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92570D8DE51B784FC0D2466A63F0F6E3,SHA256=E920EC888AE8E0EB34E9B8FA793133CD02E09CBF1E5369E941766F1B4131E7FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025851Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:20.924{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82F1C2FEB8F7630118D92EC990BBA44,SHA256=B3144BBB553C239A16C036943EDB312D4D10369A4B4817D034E5E5B6F5998A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044727Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:20.503{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034559951BE5BBF992F11E249B952436,SHA256=677951BAFDEF6AC8B2DECD0F4C5AA7C2D9D32B4FE3EE6B2D16CFBEF4B0939AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025852Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:21.924{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A1E87FEA1124E50BA7714D06442FB4,SHA256=E1087A4770D03A368B481C0D1239EB5284E68502C3DC14F91C003BE5BEBE2F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044728Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:21.522{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60161FBDAF231CFCE28D384242897FC,SHA256=28D7366C76CA1CF7FB8F1564CFCEBBFB6BE9F5AD839F30F1A47CCB26B5D1FEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025854Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:22.924{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70E6008976C9A1093C021CD77AF2BEC,SHA256=4D34193D5ECD479764D1D20DDE33135E6F0A595DE2CA81A4FCE5E7D2CD81BB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044729Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:22.537{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C86A52FA90B8D926789C4B149EA067F,SHA256=44320A4411E29E2ADE148B36CC553CF7E53770EF392152AC731EAC751CD9DB43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025853Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:20.958{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50915-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025855Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:23.986{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1A92B8F7A4A0EA24C68C153816B4C1,SHA256=A16EDCA12D1351B3701CDA67ADB39CC0075EFF42F7A9475A12E6DB1F9C1D4D9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044731Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:21.814{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51660-false10.0.1.12-8000- 23542300x800000000000000044730Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:23.552{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21673AD53932D5F91BFB06AF603B5AE0,SHA256=A406F636B9BCDA0E253504DA2A7107EAE516F0455FDB3693D4F14AC67F34AF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044732Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:24.567{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA79268A5167459244DE94BF8EEDE9BB,SHA256=1C0EE28E800C2853198BC0E51680A6915622AC3BD7AE93548E1FE118512A6F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044733Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:25.582{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CEF89364128B34C2F7B404260385BC,SHA256=CB9E18B5EED5D27D7F9A6DD70B0DFEF17C39B879A3927A7C01540364A36C6589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025856Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:25.064{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44CE17507DE160E2A18BEBB24CAE7CD,SHA256=1E5EDC65FF6CEC434571CB9B383858A17EE2D4E6C61907590203645E1CC97764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044734Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:26.600{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2D15E855F40D380B8749600A58D55A,SHA256=7ABB7D87380773F8557B4F5A185A19C8FD19D0CCBAA7D2CD58A1B7DC2067A3B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025857Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:26.064{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A733AC25BD9BDC4C543FBD7AB5C5F714,SHA256=01CF2B2CDD23A415DDEC8D5750023283C0B8EA79B17E26D2ECD08375741A5FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044735Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:27.618{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC8207AB29026D408D59871D044D2A8,SHA256=9F09E70255A063C6658A884FDB2EDC7B4A3C38A0BC9D529001DB94B47BF5C595,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025859Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:26.052{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50916-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025858Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:27.111{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF7307371704DAD93E145C5A7644296,SHA256=7DB1CD6D1578D088349410906EA6C7C3FD3BBE18F1B119D76336E0801A4BFE1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044737Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:28.698{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-101MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044736Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:28.649{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16958B31688E32121F99DA2CEF8EC169,SHA256=3C4BCE8B97F0FF07742D05FD905D77ABDF891F227BBBECF8ED3F12CA79EA3E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025860Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:28.127{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6DF8EAF164AF7C81EB59FF0FF7DC7A,SHA256=763994C57916B045881FF6BF9880938B764F5F1109D9F36FD63E76E41D8CC9BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044740Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:27.789{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51661-false10.0.1.12-8000- 23542300x800000000000000044739Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:29.697{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044738Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:29.664{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BCD81C4333E717A9C49AEF54EBD467,SHA256=4469B3905EA9EEC0B875BF14852D1CBEA19841B3DE7B38199C461788857E63C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025861Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:29.127{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FCC90A2158EC30BD79EA067D37E9D1,SHA256=6675B29872A8FA145A9CC755F817980F3C86BC6497A19D9A4F9C0F8ECD94A840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044742Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:30.679{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7BC4246EC03F9E99BEDCCBC3279B5C,SHA256=13AA4F4C0873E41CD98A28F416B573B3A1D3B4274EB79646A696D23EBE3131A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025862Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:30.143{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FC0C9398032069B4905B8B27734A0E,SHA256=81DF068755222FB87D65355F3D8FE4736DB319F1F24FAF6C3C8C313331464983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044741Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:30.238{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044744Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:29.813{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51662-false10.0.1.12-8089- 23542300x800000000000000044743Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:31.715{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCB3B6D0DDA072C8F05304F747C853B,SHA256=9FBA290E8C022354F516326EDDD18DFA542EF64061AD93F819420797D1BD3053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025863Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:31.158{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA13FAE0B08E82C9E453B1E234F7069,SHA256=7B06D6FD9E6C88D2711A99BA58AE4CE51C95B02A97EEC6B33D0E8A7798F2E85D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044745Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:32.746{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B8CCD112A7533A4C84DE42E910C0CE,SHA256=4D40F184AD76FC6EF89322E2D2A7F64C7D2CB2BC20F93C43ECED16653403ED38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025864Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:32.158{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42C8BE6303A816D942AC44D7A51F8A5,SHA256=A6D2AB14FD8F167FFC92F9B540032CA9766F69F368447AAC84512C659A7F1B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044746Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:33.761{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890072AC4C2C68BE439D4B0DC30B3C43,SHA256=62729C323BB4CE10CAC679611F7D034708B034E535695ECCE87F93EDFD83BF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025865Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:33.189{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD6650133B05507BD40D7C3AB9AC7C5,SHA256=97D0316A1A32FCDAA50B0B627E754A8F213D1EFCD2AA4AD3E4D55D7AE3D01B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044747Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:34.776{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3731994DBE554AF8A223D506C5B3417,SHA256=7C4F2BF6F59A40BB7B78CC2090831A2CF6EC96DC5AAED6AE2774DB7EBB133F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025867Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:34.189{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955781ADA8E3ABA3BB1B333A8A70C715,SHA256=BD63F636552A5D7B82E9C784FC1DCB38A113A6FED65D0B86E8EC574439D4F00F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025866Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:31.864{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50917-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000044749Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:33.806{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51663-false10.0.1.12-8000- 23542300x800000000000000044748Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:35.793{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D443B6718BD25F8718275AC39BAC6B7,SHA256=59A7A262706C64181DA8E08A0151B048F08A529BF9DBA14D89275EA65610CFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025868Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:35.221{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52993B332C45ACB476B7242966BCA38,SHA256=26CB604C7C205320812C946E8874990CD2EBF7E6E4766BE5F4EE9E4D7259F58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044751Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:36.812{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237D8232607E3BE13C728AFA5B6EFB75,SHA256=093C962C553DC24A6BEF6AEDDB7507B89DB260A6782737CEDD6423F754217001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025869Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:36.252{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0620CFA10CC317C39A3C3DED75708ECB,SHA256=CB75D6910FA34FA523F6793A136F403B135CC8D65F3104FE78E76D5BAEE6FB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044750Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:36.228{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1F7FEF67149EB14DB22A4E8AD0CCC008,SHA256=D2DD9C3860523BDF15DC7A500423F3930EB2C1BF21091B2A93842131FDC77DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044752Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:37.827{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F4381292EE8C6B60B55B7B1573335C,SHA256=E7EB4B1EFDEECBB2607036C08100411BD0AB211B88842CF5C4CF07D4F6C635EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025870Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:37.299{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA591F5391B93F928F53D39B978D8A6D,SHA256=951AEA5EC0D2705B54ED087C12E511045D701C31F7731E286090B0654E1FB668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044753Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:38.842{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FD16FED9B7C2F33FFDC93A4FBCD068,SHA256=EFDA510A475F824A369CBA097297159C6C194E4AC27888903540D8F96B588752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025871Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:38.299{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBE17E2325A912BC6E3E7B50A3C0B84,SHA256=FE271E475257B58D2D88914AECEBD800A201429AF31E29C8626C7CE3D996BB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044754Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:39.872{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F41303DEBAE53BC1354DD995126445A,SHA256=BAD65574260CC4245D488DFEAC349427584E675AD5894758F15AA689E9FD5ECD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025873Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:37.864{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50918-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025872Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:39.319{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1794BBF1525B34ACCFD2C2F936F417E4,SHA256=39A16E0F9757D26D15E22A945FE1AAC62C115C720B3DE349E0DCE72665F612DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044755Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:40.890{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE5569B26EA19D5274F492F0CAE4F6E,SHA256=368FB40D5B918751FA78B65D04BF132E891AFFFABB52BC0A2D61907F71CA1072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025874Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:40.366{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B690B25B66112B28EE9EC354793B3C,SHA256=987B4188DC4CEB9FE868BE3328C23914E6C91AC1FDF63BF1BB652EEB5B3AD98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044757Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:41.910{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59449804ACF905558138522F2A2C0001,SHA256=57D538E9CD8ECAC1E2F438A4F7E153271BE45DCF327B7952F3F90AEBD8F6E1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025875Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:41.382{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3100A60F8B62E6A82129AFA2C7DEE1,SHA256=CB87908429A5DA8F24C277621F074F64A36D878C585D0EF496A5FBED4DE85C10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044756Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:39.784{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51664-false10.0.1.12-8000- 23542300x800000000000000044758Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:42.940{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA1725C94FC6893716F10AFE8975462,SHA256=DD79587153066F5CB85C9505873B1B0E333C62298B2F40CE3B76CB0BC5EB5FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025876Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:42.397{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6441E2B99BF055AFBA9BA8D7961842FD,SHA256=896EA8831A8F97D9668C9E605E76E8AEF6F3FE05349E9B5D875BD1229414F3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044759Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:43.971{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0820C5B8491B6286570C583011504AEA,SHA256=313AB49C8CEBC492656C63FB3D6094EA028B12AA979FE8868A40962B7C9EF344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025877Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:43.428{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0242BC9D30EFE6023EF6148683FD373D,SHA256=B641A518581A24845C07662359D0842B67ECC9E7ED0698D3BBD033FB67FECA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044760Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:44.989{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0C2A50F3DBD932A73CE2FDB6E5DA8B,SHA256=63377161865D08FF1579A439F205C2763938F962AFA6A73CAEB4A666EDE7C29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025878Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:44.444{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AA70AA7033E346964F8C5F47042737,SHA256=E04FE9EBA8C252E0617A3ED257AF18EAABDF6651E7257D184C55B2FE0F9B4845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025880Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:45.460{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333511CE97610CA38C0FD5D04961BCB1,SHA256=F6EF3F88D3543697AA7506FE754F4E11BCC29AB66FE7A5EB659ECA189025E439,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025879Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:43.025{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50919-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025881Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:46.475{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DD47BA38861D64EE9D011D979ACE8F,SHA256=9CE6A386113E5BADC7C6FC32676CE5C97E60DCAB9E56D4BC326F9428245F357D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044761Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:46.007{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565FB34752DB9B108211C31E59899670,SHA256=3E96C523A461E9F19726BA663AE7F8BE143EAC8FD7E23FD12274E77B71EEC749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025882Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:47.475{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896F0B7BB18A98B6E7E9A8CFB9E72D1C,SHA256=322F48CBABEC2FDE427F607DB11A9BABDCCF45369573F19DC0D2E453747558CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044762Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:47.037{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438B9B31D359817D533EBF751B0D96CB,SHA256=22B25429A1F02983D57447712EDC6E7DE6198FA5CE5D8F5AB4E5252E28AB2377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025883Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:48.475{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44588ECAB60A3AEDF3B4F3C25A025F0,SHA256=D8E5B62E39F779BBDB6378959A2946B785376431B568422B3BE682BDBABCB3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044763Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:48.037{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FE0597D2BA9D247AC5FE240D06B064,SHA256=6F5494C5CEFD7340830500D7E1A7E0BFDD6D0278715619157B40ED19CC686070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025884Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:49.507{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43A505DF645CCB2B798C7587D2202C3,SHA256=4EB3454BE25E65605766E403F7B72837874A0151068B452C409D4A8B3ECC0C35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044765Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:45.714{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51665-false10.0.1.12-8000- 23542300x800000000000000044764Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:49.051{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A25CE74501C37C736A59527E91D66C,SHA256=3258DEC4490DCF61753E07AED86FBBEB9D0A1AF49E5EFB8C0DD74B5A22017DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025885Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:50.507{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D61034954599BE3C33383B1EA7C271,SHA256=5026A18D9AA02F194445D1DCBB349E5D3AA85690F883DEA827FB836E7FFB11D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044766Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:50.067{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC8E8B9437366EFAD86DBE32C404047,SHA256=FC2D32B985BA07D523AAFC7A9858AF05AAF97EC143DAC6297322C8168B324BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025888Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:51.600{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A2B43E61ECE225EF12EFA0F34E78C0D4,SHA256=3CE13CF975FFEA6EA89B4D95A094AF164B734B267772ECF88BB8511EB8DD4CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025887Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:51.522{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEE63C1DBEE8E785AFDB9C524CE0E63,SHA256=A5CF53CA417A00EB4185C041576E9BBC9DA91091FD147E7789D65CAC30CB9299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044767Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:51.104{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1C94DC55EAFB289BBD04CF192AA0D2,SHA256=6A10298DC3BC0BA67A1A097CA58DE7FD656C4DDE8D9922491BB2E0F207C00367,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025886Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:48.947{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50920-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025889Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:52.522{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5846A2165A0E1CF854226424F447A8,SHA256=B8147F8B5923D75CC2864775F6C4A0BBE234AE655D29B35DF301612ACFAB45C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044768Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:52.135{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20765FD18441ADB12EAAA50BFE4978F,SHA256=F1C0B2E73C4C4AFCFB2432C8447922B1481A31A293D09C21D8DB15F2A2B459C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025890Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:53.600{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95353CAD2727262CE80EECAB58F02C4,SHA256=0CAFC2BE04D30F855D0F1AAD6AA33853EC6F042BCBA06D49CB9F73E61996E26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044769Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:53.202{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB603608546D95AC1FDC2592A3C437F,SHA256=DF52B71D465C409CFB596A8301E0A6EC63B12F13394CF6051C4194675D6E2B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025894Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:54.600{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1282089E00B8D02DF98B3B8DA375DD,SHA256=C7479542F455AF67BB1C6E6DE65CDDD2A6A77FDC9E2154300CF30C706D399534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044771Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:54.333{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292A91E53BD6EDD38EB7FF8D17F4D0B6,SHA256=599457797A08E07C685E846BB3495B9E992C49D217AF384E23EE5D5B0BD29859,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025893Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:54.007{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025892Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:54.007{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025891Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:54.007{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000044770Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:51.711{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51666-false10.0.1.12-8000- 23542300x800000000000000025895Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:55.616{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F87775A327D3EAA144804918140D85,SHA256=6D7D68E14CDC7974C3600F1D0F6FCF7A2935A1666B734607AED5A2E7C722B9DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044772Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:55.364{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF605FBCC37F4D3897F2BBE20B1E8D45,SHA256=2821F03F120210CA5F8663A7F77FD37C1E299FD03BC839EC12C4B6941F3BB7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044773Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:56.401{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CFF1D870590769066AD60DA5E20E14,SHA256=BF7198D721AB9AAA8EFD5115F3E57A50ACC49AC77A58C7DE113FFE8EBE45852B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025897Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:54.025{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50921-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025896Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:56.616{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2801D7060FEBA8580F74116A9A423A93,SHA256=F5FA3BCB35F2695869A83F27833274B248754DE12EAEC8311C304B4D1045F868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044774Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:57.431{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCC785E23D90FE3E7D16DBFA7DF87AA,SHA256=2DE7AE4834BAC36C4C708BCB15B14078ED0422749F5BB648EA77423B311387A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025898Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:57.647{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8F4F9E019CC1D373E4F43A81DD5B7F,SHA256=2AF3AE36166318E0D7D1B3EFDFD517761ED497F60FB55D1CBB3597D1442A0D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044775Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:58.481{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E840BE5CE71CCA7D58542F64AD5480,SHA256=DE275C20218DBD6C31AF2AB008C7BCBFA5F17E42655F093704FD14C7442BF070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025899Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:58.647{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C3D6F72A6F651E1EF0C9CF46733DB1,SHA256=10971E486ED2148E008DF01FCF0EAD4EC33F9325732F19E1ACA076A0BDA3052F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025900Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:59.683{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63286B1CB0BE6F1CAEFCE988632AF94C,SHA256=E081864BA8FFE194B71C85A3160CBEC7173294A0D3913834DB620C3316CB084F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044776Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:59.514{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007642C02E42409D766D5144DBB5E192,SHA256=4C46E6A290417E5FB3886FA34D4C1BDB072319966B6CEF2E9C02F6705C490284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044778Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:00.530{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797C9605F1F4D115DFF8E53D56023BB3,SHA256=B98E599528019D9E27842DF1D13A22E0E92D4FB27AA18680FA063E95650C4D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025901Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:00.699{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D83A79F7F25AA67FAC72C6D7BAAC9B,SHA256=863D48DB9D3C592740EBF40140EF61C64D225BBF7F38B2B301D56F4684E0EA2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044777Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:42:57.707{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51667-false10.0.1.12-8000- 23542300x800000000000000044779Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:01.560{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7668CC0B631A7FB0BD90336D9BF8340E,SHA256=CCB910DAEF35393BF6A0165FA113E6105C8BBB5F6833AD1FE850E43F1A38671A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025903Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:42:59.967{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50922-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025902Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:01.715{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2839A6E5690A03C06C0C0EF1F76125,SHA256=1184D662120F2EE99BA56BEA0B7E600743DAE6057B513B88FB02C51979ECD107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044780Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:02.578{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333702F8EF952A5A524FFEAB48C03F3D,SHA256=5ED31FD31639833A7687307171A7045727DE30717DB529AC6AD0F370409D605B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025904Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:02.730{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CAA6F4C189872082344ADFB8EE498D,SHA256=38CF96CD6FDF1B9288D71A23607690A9DD0478F8FB368844528A6A3DF6AB7A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025905Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:03.746{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A504892826B50E4B8FC803BC7E4DA17C,SHA256=E3D3A69D1D60935BEB2168141FCA73426B0E4ADE0B0D6125B7AA5076A14C2EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044781Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:03.596{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C444F9FC34F01D96E55B817283C1CCA1,SHA256=A01D4876351C67F973920DA6103ECA461D204030FA6E37A3185A05DDA8CD1CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025906Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:04.762{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5F2C27A51605847B7CF974E903A7DA,SHA256=F085CD6C67F8E9D005B08C4FB51DC53F1D60D048A2B9DC75823FC2F17D5953BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044791Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:04.699{323FE7D8-1AE8-6136-E608-00000000F001}16083584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044790Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:04.616{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4585B0D2973450ADBC32389C6A5291B0,SHA256=497C508C09ABC643EEBE6B92295E3182B8E156C2EC781615644B9CD84768AA56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044789Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:04.443{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AE8-6136-E608-00000000F001}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044788Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:04.443{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044787Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:04.443{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044786Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:04.443{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1AE8-6136-E608-00000000F001}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044785Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:04.443{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044784Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:04.443{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044783Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:04.443{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AE8-6136-E608-00000000F001}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044782Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:04.445{323FE7D8-1AE8-6136-E608-00000000F001}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044810Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.773{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AE9-6136-E808-00000000F001}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044809Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.773{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044808Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.773{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044807Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.773{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044806Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.773{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044805Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.773{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1AE9-6136-E808-00000000F001}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044804Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.773{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AE9-6136-E808-00000000F001}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044803Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.774{323FE7D8-1AE9-6136-E808-00000000F001}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044802Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.710{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081899AE3A0DECDE03C8199F191BFA79,SHA256=FB4BCF0D47032504F7B1CB8B0FC0BC195CFAF7BF963EC9A08C8309039C272C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025934Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025933Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AE9-6136-6006-00000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025932Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025931Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025930Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025929Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025928Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025927Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025926Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025925Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025924Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025923Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1AE9-6136-6006-00000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025922Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.746{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AE9-6136-6006-00000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025921Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.747{FFF7FB96-1AE9-6136-6006-00000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025920Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.262{FFF7FB96-1AE9-6136-5F06-00000000F101}26843696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025919Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AE9-6136-5F06-00000000F101}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025918Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025917Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025916Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025915Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025914Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025913Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025912Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025911Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025910Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025909Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1AE9-6136-5F06-00000000F101}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025908Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.074{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AE9-6136-5F06-00000000F101}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025907Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.075{FFF7FB96-1AE9-6136-5F06-00000000F101}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044801Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.457{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=980C59E86B0C2C63987D23BA44EB40D6,SHA256=08E2EFFD26552B9E1F29FFC959580ED4C5F092A4142F3B472BDB8035EF468C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044800Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.457{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF67F6C87EE04447AC75A022ED53BBC,SHA256=85A330774B554698D4FB7DD2DF227060B976BBBEBB4D028F7E4116D73EB4B6BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044799Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.126{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AE9-6136-E708-00000000F001}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044798Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.126{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044797Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.126{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044796Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.126{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044795Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.126{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044794Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.126{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1AE9-6136-E708-00000000F001}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044793Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.126{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AE9-6136-E708-00000000F001}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044792Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.127{323FE7D8-1AE9-6136-E708-00000000F001}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044813Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:06.726{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A843A1E8A5D7FAD0CF765ED36969F2,SHA256=9896D70C49A0FF1E9A69BFD2CED9903F943D0565D930AD3311999977233757B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025950Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.308{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A794FD0C11FFAC56B40D396C542E93,SHA256=EB39EC4B5CD0D159B40DA13CD6E407405BCD001CD0B59552CEA8B7C65CA54242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025949Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.308{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBD6341395C552CA91C328819BB26B9,SHA256=5B241B3853C21A43585608F8F4FAD8CE9431FC3D0080D050C00293A9C0139771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025948Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.308{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=501BCE391F8D982BDF54CD35A9DD3D3D,SHA256=FF77D1C7D29DDAEEDAF30F36630B1B32F6BBE71F959A589A45A1805F26063211,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025947Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AEA-6136-6106-00000000F101}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025946Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025945Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025944Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025943Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025942Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025941Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025940Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025939Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025938Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025937Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1AEA-6136-6106-00000000F101}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025936Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.246{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AEA-6136-6106-00000000F101}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025935Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:06.247{FFF7FB96-1AEA-6136-6106-00000000F101}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044812Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:03.689{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51668-false10.0.1.12-8000- 23542300x800000000000000044811Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:06.626{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=980C59E86B0C2C63987D23BA44EB40D6,SHA256=08E2EFFD26552B9E1F29FFC959580ED4C5F092A4142F3B472BDB8035EF468C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044819Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:07.726{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290515E58C0544200304C175A9AA776D,SHA256=0D8C0BB4F17E7B40691A6D3569D0349ABEBB81F4EAFD21B28E8BA71E8796BF11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025968Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.527{FFF7FB96-1AEB-6136-6206-00000000F101}400304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025967Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AEB-6136-6206-00000000F101}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025966Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025965Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025964Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025963Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025962Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1AEB-6136-6206-00000000F101}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025961Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025960Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025959Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025958Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025957Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025956Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AEB-6136-6206-00000000F101}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025955Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.340{FFF7FB96-1AEB-6136-6206-00000000F101}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025954Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.293{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD56E29DA0C4AFC94F1D98E93FB8609,SHA256=8F044838E695E860FFBDE058B1B98CDA509A5EF56155ABAB21091B55C3B1BB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025953Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:07.293{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A794FD0C11FFAC56B40D396C542E93,SHA256=EB39EC4B5CD0D159B40DA13CD6E407405BCD001CD0B59552CEA8B7C65CA54242,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044818Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.196{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51669-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000044817Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:05.196{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51669-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000044816Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:07.388{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044815Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:07.388{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044814Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:07.388{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000025952Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.577{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50924-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000025951Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:05.046{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000044838Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.842{323FE7D8-1AEC-6136-EA08-00000000F001}19044172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000044837Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.727{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4834F7716784F735D0EB71199A47CC,SHA256=91E95C66B4C0765EDBC466131847BF8AA2DEE4C8FD24B1E0B219E6F67BD25B6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025998Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.746{FFF7FB96-1AEC-6136-6406-00000000F101}37642368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025997Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AEC-6136-6406-00000000F101}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025996Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025995Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025994Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025993Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025992Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025991Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025990Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025989Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025988Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025987Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1AEC-6136-6406-00000000F101}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025986Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AEC-6136-6406-00000000F101}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025985Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.593{FFF7FB96-1AEC-6136-6406-00000000F101}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025984Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93851CA3A3A034478CBDDD066A71CF33,SHA256=17A8C43BAA691E6CEC7A5756BA2C4C678D967984B2BFEC277D0774CF4B40B357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025983Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.590{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FE6D0146EBFD1CB6871F3D48C4007CA,SHA256=8DF47BB1AE1BA06EA042D6A300D61EA591768FE40C01AEB4B244D189982D9BC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044836Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.674{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AEC-6136-EA08-00000000F001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044835Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.674{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044834Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.674{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044833Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.674{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044832Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.674{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044831Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.674{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1AEC-6136-EA08-00000000F001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044830Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.674{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AEC-6136-EA08-00000000F001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044829Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.675{323FE7D8-1AEC-6136-EA08-00000000F001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044828Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.227{323FE7D8-1AEC-6136-E908-00000000F001}4632944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044827Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.009{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AEC-6136-E908-00000000F001}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044826Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.007{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044825Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.007{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044824Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.007{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044823Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.006{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044822Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.006{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1AEC-6136-E908-00000000F001}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044821Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.006{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AEC-6136-E908-00000000F001}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044820Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.005{323FE7D8-1AEC-6136-E908-00000000F001}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025982Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.137{FFF7FB96-1AEC-6136-6306-00000000F101}37682520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025981Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AEC-6136-6306-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025980Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025979Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025978Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025977Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025976Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025975Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025974Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025973Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025972Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025971Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1AEC-6136-6306-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025970Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AEC-6136-6306-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025969Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:08.012{FFF7FB96-1AEC-6136-6306-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044849Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.758{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9DE15E481A71DD9FAED4EE51FAD39E,SHA256=49DE929C35F7D9ECD4124EAA491C87A19954C436961F974A6789981146381BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026013Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.730{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB1E9761DD66F59406183297AA9DB572,SHA256=6FC089971661D2ED4F2FC7293E5D05861EBF7FDAE19DC205BB94A8C927594607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026012Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.730{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8513A036248549F0F5B12B1F7003D9,SHA256=65BF95F0BD4A4D5C80684F7CAA3B089C38E5730213640D637D8C4BB779607CCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044848Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.511{323FE7D8-1AED-6136-EB08-00000000F001}49965872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044847Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.342{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AED-6136-EB08-00000000F001}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044846Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.342{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044845Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.342{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044844Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.342{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044843Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.342{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044842Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.342{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1AED-6136-EB08-00000000F001}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044841Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.342{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AED-6136-EB08-00000000F001}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044840Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.343{323FE7D8-1AED-6136-EB08-00000000F001}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044839Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:09.009{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C3F0DAFBEFD455DA61B297BD3485CBE,SHA256=DC34AB6CFD41D530B55327BB61CFB4AAFE6F3F437EF21BD5011BECBDDFC8F92B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026011Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1AED-6136-6506-00000000F101}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026010Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026009Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026008Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026007Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026006Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026005Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026004Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026003Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026002Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026001Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1AED-6136-6506-00000000F101}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026000Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1AED-6136-6506-00000000F101}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025999Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:09.262{FFF7FB96-1AED-6136-6506-00000000F101}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044859Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:10.773{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893E88A748A8E9A69CE89FEEFFA8B032,SHA256=AB7851C5C5216BDC1B24A3AD24780AA3F7C850B366032C16A440C765AC917CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026014Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:10.730{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2866EFD002F1D7BDFE31AFE6A8AC2AF,SHA256=04B2E702F05B546DF05B85BA6CDB97B2D2937E5631DBC0179342601050139520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044858Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:10.357{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46868AC0F0138BD18285FB54894A5BF8,SHA256=8CE4E075974240DEC582617E7595427591D2C16AC23784A27B037CB452942B7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044857Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:10.026{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1AEE-6136-EC08-00000000F001}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044856Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:10.026{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044855Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:10.026{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044854Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:10.026{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044853Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:10.026{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044852Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:10.026{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1AEE-6136-EC08-00000000F001}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044851Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:10.026{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1AEE-6136-EC08-00000000F001}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044850Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:10.027{323FE7D8-1AEE-6136-EC08-00000000F001}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044861Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:11.787{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1548F830D5076F07F6AB94229025C38,SHA256=ACD6128F88737332657DF41B1924D9202B265A302921D521423A4590E230048A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026015Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:11.793{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE39EA626661CDB662711CC28BDC653,SHA256=63AEBE38E81882E6E187B3E2B02729DBAF71E7BB46F0C56D7C887CE0A93FDC0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044860Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:08.781{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51670-false10.0.1.12-8000- 23542300x800000000000000026016Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:12.871{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF1B304F565802D94DA97A5673753E5,SHA256=C1A0C5D59B27753DD6C5438D992EFA26459136AB9FDAB90D7C742235D7F67F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044862Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:12.805{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB14CD0379FFF60A68636DE072AACAA,SHA256=D431C41D8A2F27D94BAE237DA728245B0A0A84DD5C36F1DD542FE95134478805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044863Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:13.824{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBC3EDFD4BC85B1225CEABC4855D0B6,SHA256=8DDCFDB42A498353F77A806BB8C8A665F8CE1F586F4CBA90465FF2B763446FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026017Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:13.887{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6A40CF0F2EE2094683C5B9739465AC,SHA256=DB3FA35006102A14E06DE939C42F4E996058899970007689D911660AD197028D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044864Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:14.839{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1076FEDFCF3EC84D3B92EA02CB3823D,SHA256=107401EC86D6127AACB06B0A6EA9C3FFE2A5240DD5CDFBEC052C64782D4202B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026019Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:14.887{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EA6777B1524F7F9405B3FC5B214A83,SHA256=9F3D1C242F265B8AD1AEA48E514549EFAE9F40966680B456AA5E969EDD101BB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026018Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:11.030{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044865Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:15.869{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992CC0FA394B2676FD0A1E988723B013,SHA256=1778D5A3E805E4D20B17A1D19A1572F2B821DAE13EEE9B6ED0C17547E36EED8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026020Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:15.902{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA852EEEBBCC1F76513E88CC7E215E3B,SHA256=DDDAF3FCB73F12F6E9C1DA9BD20CBFD1BAF09F25D0BFDCB26A0F546D39C80164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026021Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:16.918{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80D72CA06DB5C2B5DA52A02C9155FD1,SHA256=A718133C6F708AABC5041FE6F8A8CA6DC29CCEC7F7EA4E3536CFC454D1F20A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044870Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:16.884{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF766070D8E443299FF95C8930EBCF3,SHA256=F9759FAD0D8958D44B782DC5E514C28440355D0774B68EA3401BEC242A3D1322,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044869Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:13.816{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51671-false10.0.1.12-8000- 13241300x800000000000000044868Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:43:16.637{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000044867Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:43:16.622{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Config SourceDWORD (0x00000001) 13241300x800000000000000044866Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:43:16.622{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CED8D70C-FDB7-4280-B713-3A56B1B8A289.XML 23542300x800000000000000044879Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:17.904{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A878A0E20A2150591A99BE28849A1AC,SHA256=56BC9754FE0D0F53A37B8B98D78765407351DB376920BA47CF99C00725B24F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026022Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:17.918{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9823A65A72D6A8FC22BD81AB9B33DFA4,SHA256=6FDC9AAA16CFAA83D21F8F3B7270F07C8C899C0738213432D7E7922E37ADA945,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044878Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:16.241{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51674-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000044877Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:16.241{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51674-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000044876Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:16.232{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51673-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000044875Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:16.232{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51673-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000044874Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:16.215{323FE7D8-022E-6136-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51672-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000044873Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:16.215{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51672-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 23542300x800000000000000044872Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:17.652{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41FABD517B139F3A39C26722F1A5FCE8,SHA256=0C57B7A10714C6E22C7A5018150D7CEAA4E605353CBC2AB6CF0996F96670222A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044871Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:17.652{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=911B06E8D8B0EE1F987AE19AFD01D403,SHA256=7CFFE38109926B695A7955F9DB99C317D469D91CDAD815546D4A3F5B2B04726D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044880Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:18.936{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A505062EAA044C146583B38DB8DC5DA,SHA256=2354768DAF5923BF18AD8D9E275AB236A9A32172E64B9731B46D22465282B61F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026025Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:16.920{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026024Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:18.929{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FB675323610355EED83BB4C452A0AD,SHA256=F7A9396EE57BAE8130B784FD164C4D42BE01A0D00C47333859E5F2E5316480E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026023Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:18.562{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-094MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044881Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:19.951{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075D594BEEE069E185F0D9C9545A4351,SHA256=D486904FF07CF3033A321A78E9F2F63891BE162E0644110EC92E9CA56710BC44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026027Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:19.942{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CDC43AC4DBA31A744AD5FC3AFEA6DF,SHA256=1D58A07B51BB9A66B523D58753CF743E26B8F037C802782154219A0049D2E81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026026Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:19.570{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-095MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044882Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:20.966{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBACFC62C40ED802FB158E72DDA73E65,SHA256=F8E27516C93AFDE2632294E50C2FA34BAF3C97A059D3D1E54CCA184F3FE3334C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026029Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:20.944{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCCDA502F1A0E0505C0543C6EF17468,SHA256=D60A282EB1B0FAC8A207E1729C90F3B0343F8F9CA7CA51B7F31794C286320CCF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000026028Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:43:20.929{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a325-0x27e71e88) 23542300x800000000000000026030Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:21.945{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BA77D2A0D09C3B97C07C1BAF6615F3,SHA256=861ACA52024C16AF660ACC5A8F827D3B43861EF19EDB4BFD72ED7194109B3447,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044883Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:19.727{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51675-false10.0.1.12-8000- 23542300x800000000000000026031Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:22.945{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901F9B71A9AFCC88E1F6EA27EED2701D,SHA256=4F31D601F4432D69B4460FF6588C68254CCFBE13806AAF211E187FD8C68E2A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044884Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:22.034{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A3F4F58EB5E86C978670F1E34D6954,SHA256=B55C9D835E9B312899A7B4525C5168A0C8519DBE97E667E324D1886E07600970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026032Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:23.960{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C7F58BB4BC70420E7DA8DC59E4AC9D,SHA256=4DAA1EA4052B1CCDECC7E78C5FD84AAD42BEEA6D5D609DF1510A15A22D6117BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044886Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:23.049{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E56C26397B523D9918969FF36EFD68,SHA256=A649FF3737DA37014B05BBC2AD654356B0C551E16C6E355DB15BF6D79F06B530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044885Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:23.018{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\permissions.sqlite-journalMD5=8E53D043E90010B39B355AC3F9871D6E,SHA256=70D36CB5A5BB2694CADA7DFC0EC653676E152D9D9C99929776B7BB0E87EE13B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026034Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:24.960{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98ADD39EB5E262BE273274ADF03A726A,SHA256=9F1AE9290831480150C785C42BF84A8B601598EC8A9E47C94B6E5BA4C342E6B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026033Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:21.963{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000044887Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:24.064{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802891BF8DE06357F9C935C58F46E617,SHA256=2763DE6610684BD6F1E92FADADF769C3ED7B506A2D8CC6953F62C776E8380E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026035Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:25.976{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653563514D127DA7A590E4CE63D34329,SHA256=0D2C9C388127817A83E231FE5F2F382CDE2E19485C48A26F5A4FCE3459D2441F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044888Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:25.147{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED26DA2F6B1CEDBBEAC7370D47FAA1D6,SHA256=ECC7997E15C0A103709BE9C8708FB8E075B814BA9079AA3CA02D6258720B3619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026036Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:26.992{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7CDC196E8CCBBFE8091203F6E318A9,SHA256=8A5BF4603FAC2586DD8B35343DC9ABFA8CBD5CD6C4EB8AB1E2870AC6AAB0DFE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044890Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:24.755{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51676-false10.0.1.12-8000- 23542300x800000000000000044889Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:26.147{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DAC145BEF98D843682398FA30B7FC0,SHA256=F95582D3A96F26E7C3D361140B6953FF458386E5F4358A1C436B7CB147D44E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026037Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:27.991{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531D51BDA8FCEDE6AE20C45E2B70AB51,SHA256=85BF4DF788A361BF08E43775870B3BA40B7D14748A37CA70F2D0B2FF10C31054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044891Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:27.162{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99CE04201BB78F961D88F40E343A5D5,SHA256=A3E5BE5C848556BDEF10C240DA9672BE2809B07B14E5FA61C0C9564B0A4A90B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026038Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:28.991{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3A1E4FA2091D8F1D4CD27855B81C42,SHA256=3D16EAB10F5CCCE4C287866F3DB98C3F5DE02C9D4051038009FC777BB4F7C554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044892Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:28.195{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBC38B6BFA22528B61A9FB885892F79,SHA256=144355F9A65FCB331BAE88C3161E9E49B019D34D72CDFCFD865E255E5A9C216D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044893Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:29.214{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B793883D72358D5B247A3A642309FE4D,SHA256=3D90A7EEB824DD352054F3D36A54B20B6113B5768E313EB3581115D0A10F476C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044896Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:30.255{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044895Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:30.231{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-102MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044894Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:30.231{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542A80E19B1B27B92AC08AB3195D0A69,SHA256=91889CC56A52979E924D9A0055FF274B6EB9C638A7F14BD5F52297F5C2B215FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026040Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:26.978{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026039Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:30.007{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF3AAC659A40E02F85E22A9C7736EC9,SHA256=E086EFEE9DC9C8E6AA04168BDE0F9585A371A7FB0EC972EC49D12565266103E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044898Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:31.252{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2963E6612F1D05CEF5227FA4A3D62EFB,SHA256=0C4ACCD1057EC17B97348532DF0600F2BB42DE5A421CEE4B247C4995F631372B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026041Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:31.023{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B104DBC21B3D228B14395D57F4C00744,SHA256=4421260CB8DEBE51D7A4C7583219A67E9F6A3F7FA48503719BBC43D6A61770A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044897Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:31.246{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044900Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:32.259{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80935F8B8CD62290011CB9A83BC6DAA,SHA256=DF99194EE0CFD139CABC9E1AF9675CE29FE0FA9E0D05DC70487040BF11CEB97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026042Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:32.023{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6005F14B20BA2123FFD14053EF2B71,SHA256=2CD40267C2D420C224FDBBA6668A39ECBD3AA052035DAF2B414166737C6545C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044899Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:29.831{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51677-false10.0.1.12-8089- 23542300x800000000000000026043Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:33.023{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C32CCAE6CB9F2ABD4FD5174735D4FCC,SHA256=390DE1CF09C21E1EB2FBB906CFEB2D6525C61F6EED1F9D351E401646F3AC6753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044902Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:33.274{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F1FA1BF69DE17DF92DAAE940CA82C2,SHA256=B848987033C0F03CCB041A788EB8CBBE34A7541D53FF5D57D2A047F30C7B92B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044901Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:30.784{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51678-false10.0.1.12-8000- 23542300x800000000000000044903Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:34.292{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0C798A1C5796A684818D5BAB4A018B,SHA256=152249869F355AA1E464BFA7FC37C08007C370FF2BE0E760C31F114D076ABB03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026045Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:31.978{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026044Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:34.023{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A396C60C6CA571952D8540970A0FB1,SHA256=D3E67002F045B30A6C559CC47F54BF549ADF6BD8478EF31FC597E5D3D87AB588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044904Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:35.312{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1116F295EBDF09B1FCE0A9D6C0663F,SHA256=9FF223A95697DF07988967A0D11A3D4DA51DA9294FA17D70B75CF1D8A0C3745C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026046Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:35.023{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954E42C424D48608E88483BB080ACF5F,SHA256=C33E94F8B1291FD9159743985B9786B917FCC8C03D3D54CC33802CB8991EFF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044906Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:36.314{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC26871B750B9D76CD415CEBBAEEB58,SHA256=87D644C98FA61280EADC437D54177D18163CEF2EF932AC6DBEB0A0D495A6418E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026047Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:36.038{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BB9E63E2BB0D0940A10F4999AA4455,SHA256=2AF53EA0AEF744EC90843DEB68D62365C668F43FE06D10DE52F69EF3AF46C73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044905Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:36.243{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6413591C385BEEE8888162330C08FEF3,SHA256=A760C337D6789358A77988AB980E9DEDB5E164C5E7CA59D21A27CC108E85C1D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026048Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:37.038{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F350DAB61EA3735B07BE72A4810D746D,SHA256=B832C76BF729C8F73ABD2DDCA5ABB1A0D0A04AFD0F62705C95664394BF118FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044907Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:37.314{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BD86F94279567C5E6F6768EDB445D8,SHA256=B005D6CA83D8CA3F918CBADCFCA7A7958BF290298A59E11A510069D1BE6DAC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044908Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:38.329{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937BFAB6B0446B68256F9E1B4CB5A3FD,SHA256=2E6AC07A1A1103CD5CE5085E335A5D49ABF2F9A859E467C66A80B2C9297FB88C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026049Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:38.054{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E23A3DADD3A6F91223A44DE5D69D62,SHA256=B8C73CACFE19452B78ED76772BBFF9700374C8AC700703DA8BF246A0C05C649D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044910Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:39.360{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0234773E5BB5BBF91AF88E781D3CFD1,SHA256=BCB73466DE99CA77942D312AFCB13FF28BA4B49EE301AFD637BC6F170E70235F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026051Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:37.900{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026050Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:39.069{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36B6B0E9919CF0C796779A5FCA3F2B3,SHA256=97FFB153BD136536E2085BC1E97EA63C71A74E8EBCF2A2610F5DB4F597AF7583,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044909Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:36.684{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51679-false10.0.1.12-8000- 23542300x800000000000000044911Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:40.392{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4DBDAA9D5F326A61FFFBAF38F8D147,SHA256=32289E6C723B0BFC25F5DBB34857EAA31104D8206E7ED1757AB09F47D8E384D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026052Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:40.084{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AE67A3489079B1BDEF45F7BED2C915,SHA256=F3003C2BA4513A00FA2647F1A176E1E5DA59AEEE16BB4FB1FDB7FB543FFF6D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044912Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:41.404{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15839BD8D69B418B2357E3D333720EF,SHA256=F8D0BB0B2E5375D42BC098EDC64AB69E0C69FA65853F787BD88D3C3E737199F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026053Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:41.084{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E66C8A4475F4009F43D47729AD573C,SHA256=A740D4E84FF94DB50BB478D92489D45F57E1C51DA6B25C55E6D95313FA6514DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044913Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:42.424{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE4350DA16E5026C2E378E9E9A28A51,SHA256=23309F8C84DB6E7037139A778AC6884C667F954FABF203024F377917939916BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026054Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:42.100{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24611B9A99DBB7D6C6105254FCCE53E5,SHA256=4F9508A2D99A14B4DB866D2A8F31438650E1580613DEBD89F6B284D9498DE091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044914Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:43.439{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7F2E8AB7F76CBE1E2EA1C423018C3B,SHA256=1CE7756E1E57796552AEC2E09D6D2444210DB89BDE3BC61A774DEB35F5D5ABDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026055Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:43.104{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52152826300A4D853EEE52B623121A5F,SHA256=2EE4F3B5B24BB98C9B9A82F7EC414EEA27B9FCD791D1385949B1643A7E9338DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044916Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:41.832{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51680-false10.0.1.12-8000- 23542300x800000000000000044915Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:44.470{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762F619F3C69A6622401BAC41835F63A,SHA256=4C4799EFC2A08FBDF66985472FAB782637C4203AFA633E41B68D69E5E182388D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026057Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:43.087{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026056Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:44.116{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F69461E95D9A36B575ADDDEDC8DE9A3,SHA256=9F3B463591F128A78FC4AB655ED14A50E1D48A493E396C422EB08669EC155B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044917Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:45.503{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1398B1D3EC8F4436B34EF3503B966F1E,SHA256=44D0FA5EB675A0A79F7A97EDDDAC687A8D4A80146C0644AD29AA9651A032A9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026058Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:45.131{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3D8726805A52EE36119CFA20DEF6F0,SHA256=C40035B236D7FF36541CA55AF72CEB776B5F85A4BB308F877BA08EE299B40F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044918Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:46.537{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE24A0DACA7AD8FE74AB89164C1CF73,SHA256=5BB6D291143F02009991345359B0B9419AA0A7496C4A21C65D83E0A38D8DBE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026059Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:46.147{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3539D781E0C3491F769AA59FDCA60AEA,SHA256=3D469E2CFD87A1BE14958BA6FC0DB1DF3110FDABE673562FEC9CBAD7097C6EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044919Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:47.568{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979106FC39B0E15219CF273555847459,SHA256=0D322642C69C9FA100207508FA0BFF559D41724C83E3B6E6C4928A8A6BF3A87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026060Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:47.147{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5164D7577C3B4DD4654B77FCD825EF,SHA256=19B29285E2A209C0A7BC15986F86D8F93C34CD77BA54AB818740C6960A24AF58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044921Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:46.844{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51681-false10.0.1.12-8000- 23542300x800000000000000044920Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:48.601{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B356C7B75B666E9121800D483FF30F,SHA256=935165B389E12D974E35A95AAEA1AFA36BCC2CD0F6735B9C2116FF579291AD8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026061Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:48.163{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579079A1B72996E5CD3E03F94B36C6C3,SHA256=E96D0A47BB0E056EEDF52437A5C628DC0529BAB7C58C37A1D2D76CCCF4114158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044922Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:49.635{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F378DA3E0AD166AD8B1FF1DC65D9A9,SHA256=C09FBD426306D8262C35DA2EF6757F69AF4F32F4012484783E4C0DB0DF9B89CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026062Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:49.178{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC910D9EFB0A9664A438BA9BB033F68,SHA256=C2F0F58BA9E631355BBAFA25B99ADD822EE8901F6DE4878B6740F7F1A1982615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044923Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:50.666{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916EDBAAE63D20E56D84F7FA136E3056,SHA256=C1C8B317D30373701BA393311D63EEC3BC3442F0BF2BBC7EE94714376479621B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026064Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:48.853{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026063Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:50.178{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CB128B3907BB0F410E5211E80AD3B6,SHA256=95A7D578D6D6596D4F9D28A8E4CEAD7768EE71201FF74F6A6844371728F6C12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044924Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:51.699{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59769B9C503C1BA588BB07AD669C5BBA,SHA256=C6BA2453833BB5F4A5BDF69BBE5EF8BA47BB1C93B1A91ADEA111D19D230F5D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026066Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:51.616{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AC469CBEEA4EF790C375A6F12086811B,SHA256=B0CB5FC632E2760CADC74F0985F163101632ABD0190E2811FD88B9553226B2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026065Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:51.194{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C629CE7A22E0630E1B123C03553FFA,SHA256=57AC887DFE8A5CCE89E4B98F0CA9D60D8F7FDCFD4DD8DBBB9FD90585958F733D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044925Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:52.718{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13D53DBF067E8B045CA1A03EF6E5702,SHA256=446A25974728D64B0E71B992A9B1CC443250A1446AA9C22EF48BDA3E7271B9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026067Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:52.194{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A765493C1D9D66425DBB49E92142DD78,SHA256=DF25D371C548D32A3E7FF62EDE17114E9896B0989B36DA8F0E65E550E31ECD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044926Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:53.732{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9E9C2E7C0F7A057F31917387BE4BB8,SHA256=635E63CB501768D47A110B172DCA8BA3D91D8560F1B6C8652E4877BC81E4DCCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026068Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:53.194{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490B265B9601CE34A626F60AD0450D23,SHA256=F760DBB17E7C88C85090327731FDCCB3D903D1498A5108037D66F5DD6E63006D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044927Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:54.747{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780684A806EC906F0A77ECEF785DFE93,SHA256=B5AF20F47E4F0D80A5BE5B8631AFB814A9DCF1F1A490E8644AA328B841A91148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026069Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:54.194{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE7DC3BE9F1FBC017FF9C3AA609AD08,SHA256=977191DB599C851CE23B433F1FE216311778B1A571ADD3BB8AA092797EB02A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044929Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:55.763{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8692329D95E2FAA0E0C6B1122954E9F4,SHA256=3B21D12301B6347B9798DB5513F88758E42B8855B125EC2A48C2C03D06BBBCBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026071Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:53.915{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026070Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:55.194{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D01437B312872A359049C1FE432FEEF,SHA256=CA4DB84FA41A5B519CB707F2B7020ADBFEC3922561EAC18399CA513E1C1BED7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044928Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:52.756{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51682-false10.0.1.12-8000- 23542300x800000000000000044930Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:56.778{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69D058CED8908F178C95286BEE35877,SHA256=9F42211451A50E62754233B2AEF003C6C3D8A11B47ECBE7F95C5F717A1ECEC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026072Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:56.209{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6C891E4EEF539C8F79128318BBC943,SHA256=4E9B8168C4F89DB825971C5D8B01C8E0670F43B3208E972155A6E7FBEFF76A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044931Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:57.795{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459C30B9827B7B638322BA76C8DED4DF,SHA256=B434C1950B6784583BCEF58AE2890DB23EF47BFA233ECE531089DD44BAB8F312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026073Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:57.225{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1112C65ABE5DFB10FC55D6C0741B9C,SHA256=286924CF6285A6339E3DECB98B0E7986AD9F0F635D51413AF1AA4D107B7D03BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044932Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:58.831{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0AEC6E06392983AB430BC4D636442A,SHA256=950ECECEB283ABF71EE702569620B29B82C7B7EFC2D08A93FC3669B85083C826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026074Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:58.225{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311707D18C804A656EB263921F6F0FB5,SHA256=70A3C5BD1EA2687147F3D9DB1BE4BFAD9E01C51D0A11B9193A53A1462B95892B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044934Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:57.839{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51683-false10.0.1.12-8000- 23542300x800000000000000044933Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:43:59.846{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12E805A8E651087D7B0A3625F503E27,SHA256=C8FF16226CC9341906D5725F7263FC6676024FA465FB5AB4C5ED3BB3B3755DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026075Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:59.229{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD66F5D95A7F8CA6F2D5C59D18D32323,SHA256=B62AB93BBA6BCB0050C0B71A4F8A108B1BC25C9FFDC1E72CE1351FB99262B88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026076Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:00.229{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A1DBB8ED65AC9BAC64EDEDD11A96D1,SHA256=158F843706F1F562C946EA65D02FAAB91DFBCF8C2757A2D51BBC1F2B9CD3D494,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044971Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044970Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044969Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044968Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044967Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044966Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044965Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044964Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044963Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044962Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044961Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044960Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044959Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044958Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044957Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044956Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044955Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044954Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044953Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044952Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044951Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044950Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044949Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044948Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044947Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044946Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044945Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044944Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044943Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044942Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044941Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044940Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044939Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044938Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044937Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044936Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044935Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:00.730{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026078Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:01.229{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882D9F290359D026E6129AFACFCE2BBF,SHA256=54C7EB4874E1F3E85E91C603B5E04CDD2EB718C0D53DDAF973D1930644CF5DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044972Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:01.130{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4525643E8A6498AB67E0D2E1BEE7B84,SHA256=4BBFABFB8220206FB2A12AED0E95B4C5B5614BA4743CBF265778BD9532276A27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026077Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:43:59.091{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026079Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:02.245{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F299C5490521DA0F04976591B355241,SHA256=84D45BA221E2896F21AA8F12A457DEC1E8A1E3F8100174D6ED5240F01B636859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044973Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:02.160{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C1A5FD4DD3E37BC9E9F509704C58D5,SHA256=FB4EC1230A25AD11BA314AAC415433E7621D522C8FED11A15AF2F5C46E632D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026080Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:03.260{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504B0691A3DB5D58F3C21D7AA8022993,SHA256=5496C04033A1220724EC9F4D58313A5EA23D42FF1A8C0300F66F6087BC32EAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044974Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:03.175{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB11D391D54FB2F42A38B3DE23E00DE2,SHA256=4639C33611DF3F8D6AA834911FA1A1F3D8783D078C4807AFBC81E92B7A93C61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026081Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:04.260{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2565F3779A204959AFABE42E8107CFA7,SHA256=6E8E745422E60716FBB26AB8B31CEA7CC81695E625A82F5C57DC2159CB94DA61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044983Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:04.460{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B24-6136-ED08-00000000F001}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044982Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:04.460{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044981Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:04.460{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044980Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:04.460{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044979Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:04.460{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044978Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:04.460{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1B24-6136-ED08-00000000F001}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044977Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:04.460{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B24-6136-ED08-00000000F001}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044976Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:04.461{323FE7D8-1B24-6136-ED08-00000000F001}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044975Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:04.176{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F9980CD529D68E515FE1F7660DCE70,SHA256=A5048F4C0563FF9DF52691D21908E092DACF43D5A1EC06E062913356FAA17950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045004Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.995{323FE7D8-1B25-6136-EF08-00000000F001}65282460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000045003Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:03.736{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51684-false10.0.1.12-8000- 10341000x800000000000000045002Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.813{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B25-6136-EF08-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045001Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.813{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045000Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.813{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044999Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.813{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044998Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.813{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044997Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.813{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1B25-6136-EF08-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044996Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.813{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B25-6136-EF08-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044995Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.814{323FE7D8-1B25-6136-EF08-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044994Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.460{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B96998F7FBFF6518501D07EC0CA73CAC,SHA256=383EAA224D564ADFD8435EBC2121C822628C77AB57B093E3944155FAEFB61640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044993Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.460{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41FABD517B139F3A39C26722F1A5FCE8,SHA256=0C57B7A10714C6E22C7A5018150D7CEAA4E605353CBC2AB6CF0996F96670222A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044992Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.176{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B55AFA8C118467DC5BD677E3D2C444,SHA256=C1AC879640A5C12102B9410156E425ABE068983E9CC445C0D21A8BF54EA77279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026110Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.776{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026109Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B25-6136-6706-00000000F101}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026108Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026107Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026106Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026105Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026104Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026103Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026102Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026101Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026100Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026099Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1B25-6136-6706-00000000F101}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026098Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.713{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B25-6136-6706-00000000F101}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026097Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.715{FFF7FB96-1B25-6136-6706-00000000F101}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026096Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.276{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F491C01EEA3D918FDEDE01EC7AFC651C,SHA256=FAA0955FAD36CB85463E495938590070AC42010BFF7FA7B132AA10350D19FE5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026095Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.245{FFF7FB96-1B25-6136-6606-00000000F101}9843980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026094Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B25-6136-6606-00000000F101}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026093Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026092Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026091Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026090Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026089Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026088Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026087Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026086Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026085Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026084Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1B25-6136-6606-00000000F101}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026083Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B25-6136-6606-00000000F101}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026082Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.073{FFF7FB96-1B25-6136-6606-00000000F101}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044991Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.144{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B25-6136-EE08-00000000F001}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044990Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.144{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044989Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.144{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044988Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.144{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044987Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.144{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044986Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.144{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1B25-6136-EE08-00000000F001}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000044985Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.144{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B25-6136-EE08-00000000F001}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000044984Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.145{323FE7D8-1B25-6136-EE08-00000000F001}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026126Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B26-6136-6806-00000000F101}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026125Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026124Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026123Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026122Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026121Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026120Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026119Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026118Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026117Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026116Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1B26-6136-6806-00000000F101}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026115Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.338{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B26-6136-6806-00000000F101}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026114Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.340{FFF7FB96-1B26-6136-6806-00000000F101}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026113Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.276{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B03E675D6757587F539258650DCB71,SHA256=45F2077770C158C0C057BA357A63E1204700B477E14816FDD0F38A710C924EE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045008Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.205{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51685-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000045007Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:05.205{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51685-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000045006Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:06.659{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B96998F7FBFF6518501D07EC0CA73CAC,SHA256=383EAA224D564ADFD8435EBC2121C822628C77AB57B093E3944155FAEFB61640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045005Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:06.213{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502E3D5A5BF20490CEA84993E762A97C,SHA256=DC0DCBF9AAA0D4AC2484B8912CDBD07EAB93F0CB363FECCAE46EC1D510EF0EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026112Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.260{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E2F893ADB31B5A82B3F836439A666C,SHA256=6785F3B2D1776350E3588A68FB3D9921F0B8795B247570F2CB53858FFE49487C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026111Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:06.260{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFF0F8434AD9E1EF0E7056E5B82DF0C5,SHA256=BD20DDA494FFE47D9816C36779015C05905C2EB7801D9AC1783992A4ABC6BC54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026144Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.526{FFF7FB96-1B27-6136-6906-00000000F101}28643412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026143Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.370{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E2F893ADB31B5A82B3F836439A666C,SHA256=6785F3B2D1776350E3588A68FB3D9921F0B8795B247570F2CB53858FFE49487C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026142Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B27-6136-6906-00000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026141Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026140Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026139Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026138Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026137Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026136Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026135Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026134Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026133Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026132Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1B27-6136-6906-00000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026131Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.338{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B27-6136-6906-00000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026130Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.339{FFF7FB96-1B27-6136-6906-00000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026129Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:07.292{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC184DA5B8F026EAFCE9683351B92F30,SHA256=7BBC87B24A2ED45B3F5D5B22AB1533AFA5DFD7B4993BF43D2280075AFC6B411D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045009Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:07.228{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5969C317832FD7B0248AF4EF1FF961,SHA256=CB6B91F934E534CD7FD2335C8BBF608FEEBCB1129DCD3470788B303CA44111B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026128Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:05.607{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000026127Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:04.935{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000026172Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B28-6136-6B06-00000000F101}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026171Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026170Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026169Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026168Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026167Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026166Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026165Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026164Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026163Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026162Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1B28-6136-6B06-00000000F101}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026161Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B28-6136-6B06-00000000F101}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026160Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.622{FFF7FB96-1B28-6136-6B06-00000000F101}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026159Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.620{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860887F97E3D03E3009442FD36D6B4F0,SHA256=B5B95016B3A67C2817D865BE37D850918A2079918F8873BE716722D94F97BFA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045028Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.697{323FE7D8-1B28-6136-F108-00000000F001}58405808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045027Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.513{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B28-6136-F108-00000000F001}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045026Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.513{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045025Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.513{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045024Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.513{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045023Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.513{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045022Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.513{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1B28-6136-F108-00000000F001}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045021Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.513{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B28-6136-F108-00000000F001}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045020Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.514{323FE7D8-1B28-6136-F108-00000000F001}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045019Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.245{323FE7D8-1B28-6136-F008-00000000F001}44201960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045018Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.229{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C333769FC0907187E4135282F240C77,SHA256=4168199FD47C2B5253BC017FDEB8436863BBB627D9FAED6FC549E6CFDD8D7C4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026158Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.182{FFF7FB96-1B28-6136-6A06-00000000F101}28722492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026157Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B28-6136-6A06-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026156Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026155Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026154Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026153Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026152Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026151Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026150Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026149Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026148Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026147Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1B28-6136-6A06-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026146Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.010{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B28-6136-6A06-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026145Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:08.011{FFF7FB96-1B28-6136-6A06-00000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045017Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.012{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B28-6136-F008-00000000F001}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045016Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.012{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045015Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.012{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045014Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.012{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045013Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.012{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045012Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.012{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1B28-6136-F008-00000000F001}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045011Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.012{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B28-6136-F008-00000000F001}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045010Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.012{323FE7D8-1B28-6136-F008-00000000F001}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026188Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.760{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25517A0A83DCE8BC2443DB52B3F1CDDF,SHA256=E477DFAB0B1B52BE654DEE00530D14562EBBD51B9B5F7CDD3BEC943068901FE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045047Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.796{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B29-6136-F308-00000000F001}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045046Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.794{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045045Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.794{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045044Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.793{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045043Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.793{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045042Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.793{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1B29-6136-F308-00000000F001}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045041Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.793{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B29-6136-F308-00000000F001}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045040Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.792{323FE7D8-1B29-6136-F308-00000000F001}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045039Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.298{323FE7D8-1B29-6136-F208-00000000F001}34846584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045038Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.260{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0BB2C0B3F1608825C7067DA210056C,SHA256=AC9645CCE5222FFDF1C292A80ABEB86B06A9DC2524552BEC93DB5001BFDFCE89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026187Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.432{FFF7FB96-1B29-6136-6C06-00000000F101}912840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026186Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B29-6136-6C06-00000000F101}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026185Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026184Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026183Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026182Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026181Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026180Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026179Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026178Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026177Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026176Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1B29-6136-6C06-00000000F101}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026175Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B29-6136-6C06-00000000F101}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026174Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.292{FFF7FB96-1B29-6136-6C06-00000000F101}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026173Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:09.245{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25193BBFE0EA5164722F1EC3E457295B,SHA256=F87E127D690EA52F49524FBE0364388C481A0C3B1A12F6218F271CEC59ED9F0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045037Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.129{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B29-6136-F208-00000000F001}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045036Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.129{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045035Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.129{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045034Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.129{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045033Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.129{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045032Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.129{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1B29-6136-F208-00000000F001}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045031Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.129{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B29-6136-F208-00000000F001}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045030Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.130{323FE7D8-1B29-6136-F208-00000000F001}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045029Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:09.013{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEDAC81FA1EE8EA861F28B503E6EA4E1,SHA256=576570ED4A66E928D6543B0E031C64F4805BB6A79D2AE8270A8245D510FD7F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026191Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:10.807{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF843FED94F3975E1207983EAF7871D,SHA256=0246DC7DC846C743E05E10510DBE6DF0C8BECE82F414780A6BDE3D3B920567D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045050Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:08.768{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51686-false10.0.1.12-8000- 23542300x800000000000000045049Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:10.264{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0A8438C6EA62F2B4B5127E6102F21C,SHA256=4F420A0390300422F2E134D499715F18B22C9A4A183B38F275B4E867E63EB91E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000026190Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:10.776{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a325-0x459d2e65) 23542300x800000000000000026189Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:10.307{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6362DD7EE2351A3E61C677B9E4D7242,SHA256=1DA962D3BC5B9A62C17E006AC2867E385C3E8861BA83D3CC414A619D48CFA277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045048Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:10.133{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E456495E9B5A8E93F01927E4CC7CF029,SHA256=3747C76A697FC686504CE72DA832D8DA992E58649946CDAA6C948573EE298C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026192Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:11.885{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CD31BFB3E0BD2FC30C58DE90DC2F30,SHA256=0637880AA349CC7340E72228CBFF62404CC4330CBF488FD5D62A140E30BD8FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045051Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:11.299{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B5AFFC0888824EC827E600D514C01C,SHA256=80FA7A3A9AAEAECE6A3F330C4AE141D51F5A24305C133148713F470128381341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026196Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:12.917{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B937EC156242C2F57014894435652B,SHA256=B67709C0C65FA30506DA6B1E2F6E2B72AB8EC6586A1425A6E6D54CC79F1FA2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045053Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:12.316{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B940057EDDC7AAB5BE4AEB76346CABEA,SHA256=FC25ADA14C573F1A9FC0A9CA67D0B9C25E71E5748E2AF636EC4CE3BD2CAFA415,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026195Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:10.919{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50937-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000026194Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:10.606{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-353.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x800000000000000026193Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:10.606{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-353.attackrange.local123ntpfalse10.0.1.14-123ntp 23542300x800000000000000045052Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:12.079{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\permissions.sqlite-journalMD5=CBABE87EC8DC2FA5CC5EE15F47FBBE6F,SHA256=4669D34B2DAB23875BC89194B6D2A23EB5BB04B344B7BCCA60AEC852F8D87746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026197Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:13.948{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A693E5E6CC8663D6B605D6A2310A183,SHA256=7ED9C04D65206038A8B88CFB9327A606DF187EF33FCF63833C15002E2D9C1AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045055Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:13.317{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEEE447E335F7977EA1E3B882519277,SHA256=5432D03E16D58AC181300364E73637756B6C20CE089E387060B426E9A5A8A58F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045054Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:10.383{323FE7D8-022E-6136-1100-00000000F001}492C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-456.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x800000000000000026198Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:14.948{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0D45FD26528A92DFE2B5EECEEBABEC,SHA256=68FFB0BE774031FB109F9BE4D5E82E429CC2E03CE0B21441F31BDE0C636CA026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045056Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:14.348{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175C5A2CDC54550E3B64B33C2AD1C6A3,SHA256=E5D1510EFDF37112E9D6FED48056EA1DC4A9A81D8A6293715961F53A29CD4CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026199Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:15.963{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62687C7ED2D5CA93C231B95A7CE77F83,SHA256=BBC081A177E7326AC6FA6175FD1165BA85DD85F091E79A827850972986F0107C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045057Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:15.378{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5CB684D0C5717559B0053E2A00756C,SHA256=D56CAF606EF701AD6FC2AB03940A3A30A703B9C0C8EFB8A8A6722D4D8F5D0AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026200Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:16.995{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773D2A8A279AE5B93C6875290DF07BA5,SHA256=40155C7988CA074A6C567A67A0AC25B31708EAE88C88BE8029447199B1024653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045058Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:16.396{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018B8737A6A1B5CFF0D7ED1CEA4A6A94,SHA256=A4F77D79CA6E1FB5031B7ABD39F83AD11D5C2AEFC7ECA11682B81A146C784366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026202Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:17.995{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D092A1F10EEB1CBE10A22546DECA10,SHA256=F9F3D2634D5CAD2CE48BAE68352A2ED3B26225FAA1BB4D564367F4AE24ADDC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045060Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:17.415{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AF8A593E16A9A1517E2E745898D64D,SHA256=45544C578B8F29EDCDEA89D6E20DEC4B08C5293C94774030B78DC55241AA09F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026201Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:15.950{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045059Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:14.639{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51687-false10.0.1.12-8000- 23542300x800000000000000045061Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:18.430{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995D33DE3D7FDF5A0574048F3289B7BA,SHA256=B15690E68DE6786A4A819B61450007B2CAAFA88205DD820C01487F84A47A3432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045062Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:19.445{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28DC87EAA901A7DCEDECE86F3C2A9A4,SHA256=D25A554CFD2D3690FBB1BD3F17D7CF885886DF0E2CD45D2B70A0F532E6F64E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026203Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:19.009{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C88EF02BF660CC308DE031F5E79C214,SHA256=282F340514F75B54C3A5F0F624EBBC2E8B1F6A4ED6E3F4440CFFDB7622287646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045063Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:20.475{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04E325022787E3B89B2C11D61431E33,SHA256=362299792E6C3D7DDB2A424690D5C7832E78E4670D4687D5426F845CDE4DE8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026205Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:20.091{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-095MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026204Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:20.042{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC01619209611FB89C6FF8EE6EDF0AAB,SHA256=73AA055D46CFFC1BCE66656BD2621228F6FBEECFB05402629F8F3A14184CED69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045064Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:21.512{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E8DCEB1B51A32F9EC1F4338D8FDBE1,SHA256=DE6CF9445A327F44F019949A71113B09519A7AEF6D11359C72116A0A74EADEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026207Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:21.096{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-096MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026206Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:21.079{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E5488E4E0E4B1E4FFCF3C66197AFFF,SHA256=D545F2DF9C7099B5174D79B1EB92BE8A467CB0CF9DFE7CF34C300EC102345E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045066Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:22.527{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C98C556546A822DF0A8C8EC9F6202AC,SHA256=D323EA3379023AA20AB4C6989AF2B6436571B23C5AA27DC1BFDBBC01C5ECAEFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026209Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:21.049{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50939-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026208Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:22.095{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09E7776D3FD5FE6D57BB327066E7032,SHA256=6179655756015630B9CCC2B70149C4B60AADA2A361DBC29B28113DA3F52E9D73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045065Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:19.820{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51688-false10.0.1.12-8000- 23542300x800000000000000045067Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:23.542{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAD4FA040672FFD6C39C56D69FAD587,SHA256=E8307A0FE08742042B08509DE5D9B50FF9E89369BDC755709EF3140A88DF2363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026210Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:23.095{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B454656C7F165090277A50B49F05289,SHA256=E5C1B91C19D798952B94C60EC62E9EEAB00066C136F9241659A8041E451D2A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045068Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:24.610{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF912DB50B6F00AEC9222B010DC5702,SHA256=463DF1B368D7AE842BA7984A9FF67BA9617FF1AF13611CDFF7466DFFC590956E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026211Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:24.111{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CB13491BEFAB0ADF6899DF731A39F5,SHA256=F62B8BFE954797FB757B2190FC72C9AE99F26BDBB8F2F461D4F7718014812E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045069Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:25.625{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A84A923E7711B47EDEBBFD00C15880,SHA256=45807DDA1914682741BF69A4BD1AB930AA53AEB847BEA62FA2F605FB5294BCF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026212Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:25.127{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC53153BD88B2E9384EE772139F091A3,SHA256=E0ABEAB5EB6537D7868CFCCB7ED5B46ACC9B0F526CA0720EF11981D4F686309E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045070Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:26.640{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A85ED0897B740C399748F9FE77C228,SHA256=6330837FD68AE3BEB69F9680E933F7A33A233FB068746AC81A615EF92661A4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026213Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:26.127{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B05E97E41FA078B065C6A1B86F9533,SHA256=83D782CFD324E740239A89A746904C40FFB8C33D7308D6D17099255BB19E9D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045072Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:27.655{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C928605CA9B689BEEE7368108C9BBD,SHA256=91E4BAED74587CD49607314DE40E5E3917ACF3E43A3D127476C0418595D59717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026214Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:27.158{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07DAD8EB49A7DB64454F6610AEBF299,SHA256=7E9186AFE8357436B725701B609D307B95058938A73EE6936ED4B8EEB367F370,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045071Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:25.632{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51689-false10.0.1.12-8000- 23542300x800000000000000045073Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:28.670{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5091F4BA293963FA841A85513197622A,SHA256=26F03718B7FD96B02135FD3E155FB2A54BBBB52B20B29FB89E5A914533AE9F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026215Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:28.158{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DE664F3A6AC3AEFCE8DFEA3381C28B,SHA256=58B5CD868E7F5B1360A26E8575E8B8BB32A5460DBFB68E179211E2390442F639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045074Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:29.687{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D129F3A6EACA2BEA0F0583D4889B58B,SHA256=54F67326D39084282C36CFC9EFF8EAC28F680035BD93484A35A5F8F1058F061A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026217Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:26.895{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026216Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:29.174{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A408A35A5338223BC130BE83D1165928,SHA256=29FBC43982D12EAC9C12648EEFE406A4B641A5000BB4B7A86998A8B7C1637A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045076Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:30.706{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368BD34B8EEE38A940126FA80858E901,SHA256=4280D71DE0ECEDAB8C1B9B05BB0271787A454DC7205B5481893D5CA83F5384E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026218Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:30.174{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4A743687CBA80D92856DAF84FFD62A,SHA256=F7F2585396E04D847ADF3C60F65D4A8B024013DDE75551403A71A95E649ED4E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045075Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:30.290{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045081Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:31.991{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045080Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:31.991{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=CFE38EF4D0E3BC77F1DA07D7B5AB2A4A,SHA256=5F1944CEB72658831D8BBF81ADE689DD43E33B47384CCA94E8BA0DCA6F691D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045079Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:31.770{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-103MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045078Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:31.721{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BD1408BD63A571CA2B83F3CA99D80E,SHA256=5B2A8B7DD8C2770A5CCD5A2B6E76ADAAE50A0FFFB01F803B7D3ED6166328BDE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026219Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:31.220{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137522989970D5257758DA8CC5758836,SHA256=8788B6D4359B30D130AF34FE275F93405B6365E6FC28E140396731C05A245961,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045077Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:29.860{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51690-false10.0.1.12-8089- 23542300x800000000000000045083Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:32.770{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045082Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:32.738{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E024DC0EFAEBCE91A033A9D019D5163,SHA256=4DD225B46B14D9BE486EA33C3B65968C18423F4CCA95F903AC46EBC2DB8EAA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026220Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:32.236{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A73DF44139350DE345FA7AAA5E045C,SHA256=8F5057E576C32401FDC70B723F37F080DAFDE99786C171A1B31F37C20500421A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045085Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:33.753{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97FC520516D3F57EB6D8AFDF4BEA3B2F,SHA256=1BDD855D76C4FADB2921D0B5506CE461A651DC4203477B8DA2599CC79F10AB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026221Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:33.236{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83FD1CDF27EF98DA33BDA1F4C3B9F56,SHA256=D33A2BAEE8D8EC8D05BFDE18524720C3E967CAD647F074B84E71B0C04909280B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045084Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:30.828{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51691-false10.0.1.12-8000- 23542300x800000000000000045086Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:34.768{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD98EDB684BBD4F650F07994EA7DD0D,SHA256=678A1EBCC188981C7F8A6C18DE98DAAEF5275C0BA708598AC28291145DEE0385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026223Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:34.267{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5863E326ABE63B4446396169D4AA9C1,SHA256=AB278A73E11B00F53AEA894A3A33A39CFEA058CE30DB24EA56E685E004B88F14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026222Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:31.942{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50941-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045087Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:35.786{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66BFF2F1EF859321934FA40B8E4249A,SHA256=17984D25055E86CBF8A0F341ACFBFBAC35A24E5EFBCC76679433C1AF3D8FD265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026224Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:35.283{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA3C3F6983442B377679DA1082E67B4,SHA256=9182B7ADD106C6C419C6A3FBAA931A654E182A208FBD290712F2607B6D23EB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045089Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:36.804{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EB0B62BAAA9C797CB41997DEF22720,SHA256=9045F7962C4D52A2E38695023A42B6B5DE27DF14C055A87E9A45C62E9AD2CA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026225Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:36.283{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCA1116611C3C051819E4C8E0BE2D1C,SHA256=0A8CE5D33D826D7D855400BD3011F2545B226BF6FCA12BF0A4E8B2BD2EB7101D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045088Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:36.251{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6F724AF5A415AF6145B341639E669202,SHA256=65626B977EFA946B5C4D861AA6E48CD61114F38A648EEDFF79EC9C3B807B4585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045090Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:37.834{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1D3AE3BEFB722163187ABE72E8BC02,SHA256=ED6D10D48E031DB9E00A2C945EE54448A2232F37A238FD9AB6E70D477DAC66D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026226Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:37.314{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5362A72DD21B22265B1EC5E4968BCC,SHA256=9C0EF6F460167086679C83C8B25C4F24D0883F1E123D64F4CB167D45703A2F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045091Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:38.865{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC26715B6A3E854391E42CCC362258F,SHA256=65619DE5AAAFB196F78790635A69858AE93553FDB26BB27ED72A25705640796C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026227Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:38.314{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D962FE5AF8E0D95B55C19799921B5B10,SHA256=957374AD2144C9EE93CF55EF0BC79475957E5FE8A5713F5D1DD119B7B6BFD201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045094Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:39.886{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17C9AB4D9CEE70CF06F8ADC03C70A86,SHA256=716072FA2BC26E140628C18D67CA8EA829B52EF2F181BB15E539F0DF2A61426B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026229Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:39.326{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4730356D27BF3BC51E2EE657010AF86,SHA256=5B6492979377C3D50E362B378CCB8E2CEC5C045A2BA0B555D0DF2E407D579498,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026228Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:36.958{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50942-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045093Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:36.842{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51692-false10.0.1.12-8000- 23542300x800000000000000045092Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:39.449{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\permissions.sqlite-journalMD5=FBB99CC5E0A5E7A4F8C43E0947483603,SHA256=44071743AF8E4005551CFE063B9C5A1B8F9AC81453DD0FA1FEE0708BE825ECFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045095Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:40.901{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63926572F765CEB149F5C4C52F7D41BA,SHA256=88236EAC568535CDBBCD8B1FBBBFF57A4DEDC278B180B011EBF59AA45918E4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026230Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:40.326{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D8A8FB75123A211EFE5546F80FD279,SHA256=3D7A5F7A902A61072DA216101EFBA88A0EAACA3544101833F355287C5BE3CC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045096Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:41.916{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5AD8AE09E347ED2F2446DF2830C2AB,SHA256=49E7F46AFA8C9EB78F62DA2D807B05CD3AD62F629D811ACFCB6C54295E64CD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026231Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:41.341{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185D8CA2B55AF89A130016EE7C857402,SHA256=B48D3138CED059B501F31AD53241B582E20377796B449F3FEB8598E308A9D6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045097Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:42.931{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A04A9F602252746CFA2036653E9CAF,SHA256=29CCF8775CA4B9C99BA866FA873C1E64E8FBB2D1F4BB90C0489064428D932219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026232Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:42.357{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D39C68723CC853F2E19F5DDB9652D1,SHA256=2FA125B4E44475FE808608C1020BA8D61EB671491E0A1ED625A9C9E0AA36EB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045098Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:43.961{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55F88089D5D5A882876A09591B3FDF1,SHA256=EFA0CA515CED64923AA504A6CED726244080491C74882902E3D22D1A169E49C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026233Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:43.420{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99F2DA41EC724E857FFBC273E465AF4,SHA256=300179AB07BFFCBD8E37F0270CDA2B300E96DD5B7BD3F5FD02C8A406FC986962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026234Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:44.435{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00E4CDB6E02D71E8715ACA13AFF91B2,SHA256=353369CFD85E6F3724545ECFF5CBBD846C4C52621C081C72F882D51C7A4BE0AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026236Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:43.001{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50943-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026235Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:45.451{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6121AFAA021A35AA86A962C31BE386,SHA256=4FFC164E2295631210778315655748D9281567B15602778A9818C4B40E2F6511,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045100Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:42.853{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51693-false10.0.1.12-8000- 23542300x800000000000000045099Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:44.998{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2861EC038DFC623300414270436349B4,SHA256=6C9472A30E89CC1DB78D7E1CE5B2BC10CB270086EBE79EA13FC1112F48D2465E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026237Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:46.466{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD857553B0DCD29F03AD373A08FF8247,SHA256=37A1CFF47CCC2004BAC576E1182F7CA3129F2630B616DB53B1F9168A4A297D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045101Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:46.028{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601193759FFFA87608A386B713DB835C,SHA256=1BA8273C3895FD495FFBF7A91312F0647BD027EAE021F2F766594417C43582F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026238Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:47.466{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD09D9CB09A6EF3FB7399FC32D7FD7DF,SHA256=12705A4A8F422847615CAE2AE8C1E07B3E3C4C6EF82F2BC6C548CC4AFDFDEF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045102Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:47.061{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822701FBF03A0E16D2457A5BBB677D22,SHA256=91054E49AA0C6A1730359548133F6643F6E931A11EAB238199088FBA28639E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026239Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:48.498{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64278EE69BB8AC52625B1584B68FBC68,SHA256=22985C3683E84AF6913E3A448C62674A18404990D14AF67A245D3B8747ADA3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045103Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:48.062{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0FF722D14FA0ABCB8F41CD66B7D492,SHA256=525A10F807F676EFE12F0793F9B37C87DA054D434EA89372B30C1B2AF036A1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026240Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:49.498{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AD0E552145CB504DA71F921F0D493C,SHA256=CAD4B73E2E519A3F6A50E8A4E38EEC672B3047FBEC6A4951FA23296A8A58CF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045104Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:49.079{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8CD217258487C268018376DC6A3448,SHA256=11D4408AD9938A2FED1B5816C1F2ADC63CC88A15168FC2008407CB3F552C76EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026241Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:50.513{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B7754CE3B296CB1C66A54A84B483C6,SHA256=EFAB74736E929DF373788DA9964611E971F662508AD92447A19F9D64E656BE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045105Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:50.098{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D6ACE4FA0811424DF3B71EDEA3C84A,SHA256=5A87E9F81E10F12651E736FD81B51CAA44A5A0B0C7D01C81E7F43A2CE5B450A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026244Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:49.001{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50944-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026243Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:51.623{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6E6525C7572086B0D06BD00F3D9E287E,SHA256=B91E7417206AEDB1B823CF83220EC4021A3F6C1ACAA2152495B09C0A4A32D6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026242Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:51.529{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B16104EDA7DEBCA91F221191F992FE4,SHA256=89882DAADBFFBD3DE972441EBD94F54701811C84FFCC54A05B585C918E998CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045107Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:51.129{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC59EEAFD4D263FF07ACCD95B8CBE1E2,SHA256=E9B1D47DCD3CA5F9CCBBDB908AF169DC1AB4E851C174F6FD4E57E337D073BD99,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045106Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:48.672{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51694-false10.0.1.12-8000- 13241300x800000000000000026255Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:52.826{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000026254Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:52.826{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005abc35) 13241300x800000000000000026253Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:52.826{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31c-0xfc7bef7e) 13241300x800000000000000026252Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:52.826{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a325-0x5e40577e) 13241300x800000000000000026251Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:52.826{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32d-0xc004bf7e) 13241300x800000000000000026250Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:52.826{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000026249Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:52.826{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005abc35) 13241300x800000000000000026248Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:52.826{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31c-0xfc7bef7e) 13241300x800000000000000026247Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:52.826{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a325-0x5e40577e) 13241300x800000000000000026246Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:44:52.826{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32d-0xc004bf7e) 23542300x800000000000000026245Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:52.529{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECE1DC232D0288807584CFAC8214094,SHA256=B55E96EA052688561515FA9884E55A25D16259112AA10D940A7DA36783259C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045108Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:52.144{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB421357749C97EA1D6D01F42AA218A,SHA256=3DD5804FC8C642E9A519BD31CFDA776AECF07F2776725F62B581880767C56CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026256Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:53.544{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CAB7C61EC7D410BE9D62C3A897CF14,SHA256=C1FF4A120E28170603F46C65B62E975EA259EC6D963CF6DBCA3768E6FD3B6E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045109Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:53.159{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E865D9E21CE5C7FBB07246ACF0870648,SHA256=BE641A3609CC579355E9DF666767B830BD6F347BBD848B0D88AA7E22233A184A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026257Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:54.544{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DF04616C73DEFC94AEA054F55AB7D6,SHA256=6BB55D1A9BB817288421F63A0ADAD09D30FDEA75A0C01BA0A7C5E647FA00B0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045110Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:54.179{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EB1C74D27EB3B3B75DB4D18916AF46,SHA256=F0F6F5E94378E71371836BDD9CF077328D4CD85D6CCDBAD19CF7EF3726FEDCAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026258Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:55.560{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97549DD08BC320A33D4FCDA20434B97A,SHA256=A90A56987726180F969903190D0FD2F07610081A7E6DE1FC1E015770419DF1D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045112Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:53.702{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51695-false10.0.1.12-8000- 23542300x800000000000000045111Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:55.195{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13FF856269F4EA5EF3D48C3699A8EAA,SHA256=20C3F2A72D0BCEDB5C8EF30DF01B08452F609ECAF06200AFA672335A09542478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026259Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:56.560{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495994296A00056F737D13D2A1B61652,SHA256=1D4926A797C8777F78779813403FA9458030B3109F749C4A9D5DC1FAC63ADBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045113Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:56.209{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F499687719333F459054B394D6D40B74,SHA256=0D659EEED19D2736F714A06805EF0F3C7315351AECC9A728110126A11B7A670A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026261Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:54.907{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50945-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026260Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:57.576{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20D0995EA9F5A98C6073FCC02D7980A,SHA256=B778E7BD0BF1776EB3AB7B8BFC5C3743D5D37EFB1F4149CCC3B5A4393084D296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045114Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:57.224{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D908B6175037AD974F32E926F174BED5,SHA256=31C707AC40C464AADB1E5177D59587654288753CE962E4B7C846155CEAB79A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026262Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:58.576{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB897D5A273558F0DAC4F2FC376DBAF5,SHA256=05274AFC7B4C8B2C91F6B2669085BF1C41BE26BA20B348568173EE8824A32335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045115Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:58.255{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C724C9AEE149E902B844BFE72344181,SHA256=E81007265C1689E5BA1F26306517CFA389BDE7F4EFEAD77FA26E6EDB9DEAE711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026263Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:44:59.596{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32BC2758B93D74C8DD5E5685D533D59,SHA256=99C1F66550F4E4B2177001A60682ED4140B5F22E2C53F42E2371D0C9C4ACDBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045116Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:59.276{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F706B18A804CBA9E2DCC2D8F0F75D0A3,SHA256=F3554DD126D68051F591949F27BB6A7FC9E75D6631523318EB06B33B2D5EB8A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026264Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:00.612{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9BE78EF5F70D3D1A8BDE2C234A0EF6,SHA256=DFDAFF2D05122C5DB1278054AE6FFB18CE8AD8FBD3C47EE619B134E1DE9BDF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045118Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:00.291{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E9E2A82094F659C06EE2B016FAED52,SHA256=2BC8FD52468F880CF42F9ABB1032E50926FE44EDEF2CE7C67E7E1773E585D0F5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000045117Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:00.038{323FE7D8-022E-6136-1100-00000000F001}492C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a325-0x62fa0514) 23542300x800000000000000026265Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:01.643{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8F506EA66B855F0324772F5430968D,SHA256=2B8F80A8995156ABAEFD1852CE2059CEDE8BCD0ED4E2E7BE1DD4C4BCF6225B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045119Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:01.322{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ACCECBAB0882AE191066BB38337A1F,SHA256=C87B45E5A6DE9D4D0E2F42F03E7FA673D04875BAA923D38EEA29AB2E637F6BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026266Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:02.674{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C722889090D0777475705243668AEDAA,SHA256=A608584BADA39E197F659B89B24FAF44929C92D43AE0631FFA0A89B26A339FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045122Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:02.337{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD50CF70C5EB7990A795BDD746181DDB,SHA256=F5253CE76D349BB4CF2E7418CAE134F668AF130041DC294CEA61E7DB7F6F68BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045121Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:59.714{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51696-false10.0.1.12-8000- 354300x800000000000000045120Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:44:59.613{323FE7D8-022E-6136-1100-00000000F001}492C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-456.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x800000000000000026268Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:03.705{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F3FAC7869257363B3E3847991989A4,SHA256=23A33984CBF7695CB75CDC54FC5815EDBA24E6D9AAA73F10181EC11E3ED2FA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045123Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:03.352{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64712E31A67044DF6228618AAF108AB9,SHA256=32C9354E4470C66384FB04C3E23B68356319ACA70F70018029DD8E378AADF28D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026267Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:00.896{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50946-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026269Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:04.705{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CCA3008B160C2BC67E55223612FC4F,SHA256=B650A5426C66CDD6585FAB66E320DD15FA8A9BCB6921394FAC9858D5239FDE55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045132Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:04.474{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B60-6136-F408-00000000F001}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045131Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:04.471{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045130Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:04.471{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045129Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:04.471{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045128Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:04.471{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045127Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:04.471{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1B60-6136-F408-00000000F001}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045126Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:04.470{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B60-6136-F408-00000000F001}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045125Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:04.469{323FE7D8-1B60-6136-F408-00000000F001}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045124Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:04.352{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9933B6B94A48F13B261E8DC02699A948,SHA256=097934525F136542FBB83DECC5B77C90113F9741EA41DB07BE917BA49308BB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026297Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.799{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026296Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B61-6136-6E06-00000000F101}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026295Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026294Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026293Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026292Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026291Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026290Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026289Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026288Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026287Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026286Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1B61-6136-6E06-00000000F101}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026285Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.736{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B61-6136-6E06-00000000F101}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026284Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.737{FFF7FB96-1B61-6136-6E06-00000000F101}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026283Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.721{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88876826EC5FD8EA7F1A4E7D1AF8F5D,SHA256=B1D1294175DC5853F9F86382903D5FEC004BD516C960792EDC8DA923C9A47614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045152Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.804{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B61-6136-F608-00000000F001}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045151Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045150Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045149Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045148Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045147Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.804{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1B61-6136-F608-00000000F001}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045146Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.804{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B61-6136-F608-00000000F001}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045145Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.805{323FE7D8-1B61-6136-F608-00000000F001}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045144Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.473{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE7CD61CC8F6EF0EC9C1C92038774B03,SHA256=AA8CD3518016F1B24735C7623AFFA7C6DFD4F4BAA7B71E6EB63B221BD914087E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045143Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.473{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FE7A79E960142A7437BA7A7AF55392E,SHA256=957CFE084E5FFD89CAEF3A1D47A1F3373C15E4101B353FBD4D6D846976B358C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045142Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.373{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE95F07879F0EA036D27AE109321ACFD,SHA256=D77EA99EE7B3E406BD3A2AE1EBB94044FA72375754FB56C63665D6AE7053F26B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026282Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B61-6136-6D06-00000000F101}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026281Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026280Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026279Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026278Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026277Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026276Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026275Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026274Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026273Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026272Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1B61-6136-6D06-00000000F101}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026271Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B61-6136-6D06-00000000F101}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026270Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.065{FFF7FB96-1B61-6136-6D06-00000000F101}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045141Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.321{323FE7D8-1B61-6136-F508-00000000F001}66486312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045140Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.136{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B61-6136-F508-00000000F001}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045139Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.136{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045138Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.136{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045137Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.136{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045136Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.136{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045135Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.136{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1B61-6136-F508-00000000F001}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045134Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.136{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B61-6136-F508-00000000F001}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045133Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.137{323FE7D8-1B61-6136-F508-00000000F001}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045154Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:06.651{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE7CD61CC8F6EF0EC9C1C92038774B03,SHA256=AA8CD3518016F1B24735C7623AFFA7C6DFD4F4BAA7B71E6EB63B221BD914087E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045153Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:06.389{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85280013642FDD94A68EC5EBF449BDC,SHA256=7D0FA8A7DC40243413D80A4BE1E27EB8A1E97DA7F42820F99423F3D8C5EE43AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026313Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.408{FFF7FB96-1B62-6136-6F06-00000000F101}9322996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026312Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B62-6136-6F06-00000000F101}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026311Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026310Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026309Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026308Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026307Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026306Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026305Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026304Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026303Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026302Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1B62-6136-6F06-00000000F101}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026301Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.236{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B62-6136-6F06-00000000F101}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026300Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.237{FFF7FB96-1B62-6136-6F06-00000000F101}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026299Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.096{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD10DBE37218069B00CD02D4CCA35F1,SHA256=918AEB829E06D82428BA6A2C5B1F6C1408D8A307BA5457B9EAB66ABFD514F9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026298Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:06.096{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A2904CF23C91487CEF2EFEC9F110178,SHA256=189A1C2EF17DDB9A756B9A3D7CACE1E46512FA0685609E435493D7C762D7C7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045158Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:07.404{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5513C2C79BEB4780CC05A20C6D84F9,SHA256=8CFFE7FB807366BD6EA743E5DDC70F83F764A659D58A7B56C197157641E5770E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026344Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.955{FFF7FB96-1B63-6136-7106-00000000F101}32042508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026343Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B63-6136-7106-00000000F101}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026342Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026341Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026340Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026339Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026338Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026337Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026336Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026335Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1B63-6136-7106-00000000F101}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026334Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026333Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026332Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.752{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B63-6136-7106-00000000F101}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026331Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.753{FFF7FB96-1B63-6136-7106-00000000F101}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026330Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.487{FFF7FB96-1B63-6136-7006-00000000F101}40003880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026329Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.299{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD10DBE37218069B00CD02D4CCA35F1,SHA256=918AEB829E06D82428BA6A2C5B1F6C1408D8A307BA5457B9EAB66ABFD514F9F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026328Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B63-6136-7006-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026327Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026326Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026325Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026324Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026323Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026322Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026321Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026320Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026319Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1B63-6136-7006-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026318Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026317Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B63-6136-7006-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026316Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.254{FFF7FB96-1B63-6136-7006-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026315Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:07.252{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B752306D692FF36CA27B7477324E89,SHA256=FE9F23A4F328DCA46290E9A9363752CC66D2B19805D72B644D923BBFA6B4C133,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026314Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.631{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50947-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000045157Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.661{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51698-false10.0.1.12-8000- 354300x800000000000000045156Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.212{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51697-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000045155Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:05.211{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51697-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000045177Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.872{323FE7D8-1B64-6136-F808-00000000F001}28923488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045176Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.688{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B64-6136-F808-00000000F001}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045175Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.688{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045174Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.688{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045173Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.688{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1B64-6136-F808-00000000F001}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045172Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.688{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045171Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.688{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045170Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.688{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B64-6136-F808-00000000F001}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045169Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.688{323FE7D8-1B64-6136-F808-00000000F001}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045168Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.419{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A8AC77CD07C5FB98EB39E5DBFDCE66,SHA256=36F7AE796BE4EEF094FA25C8FAF1B10F634A1CBEF458D554DAF48B46ECFEEC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026361Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.768{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09F6DA98B8494824B080116F57C279FE,SHA256=8DAC83315A5F687DA39E93863F6C41275A9936F1342F81241C0A649C64DF0534,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026360Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.581{FFF7FB96-1B64-6136-7206-00000000F101}7361472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026359Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.455{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4AEC5927D7B230D9C7B481855449E7,SHA256=E281473926EAD3A0A1E73B6A41B80CCEA1D7C943F8A46A2E71D0B2ED45F3FAF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026358Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B64-6136-7206-00000000F101}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026357Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026356Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026355Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026354Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026353Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026352Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026351Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026350Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026349Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026348Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1B64-6136-7206-00000000F101}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026347Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.424{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B64-6136-7206-00000000F101}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026346Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:08.425{FFF7FB96-1B64-6136-7206-00000000F101}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000026345Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:05.927{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000045167Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.204{323FE7D8-1B64-6136-F708-00000000F001}69763856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045166Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.019{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B64-6136-F708-00000000F001}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045165Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.019{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045164Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.019{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045163Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.019{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045162Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.019{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045161Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.019{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1B64-6136-F708-00000000F001}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045160Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.019{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B64-6136-F708-00000000F001}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045159Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:08.020{323FE7D8-1B64-6136-F708-00000000F001}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045196Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.835{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B65-6136-FA08-00000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045195Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.835{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045194Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.835{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045193Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.835{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045192Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.835{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045191Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.835{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1B65-6136-FA08-00000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045190Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.835{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B65-6136-FA08-00000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045189Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.836{323FE7D8-1B65-6136-FA08-00000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045188Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.572{323FE7D8-1B65-6136-F908-00000000F001}44882376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045187Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.471{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D06A9BF803F2BED06B2B25D7F8CA986,SHA256=4799283E2E81630D762E4CEB93DFAF263610A52CD5FBFF05FCE0255B10E4F80A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026375Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B65-6136-7306-00000000F101}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026374Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026373Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026372Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026371Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026370Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026369Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026368Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026367Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026366Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026365Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1B65-6136-7306-00000000F101}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026364Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.096{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B65-6136-7306-00000000F101}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026363Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.097{FFF7FB96-1B65-6136-7306-00000000F101}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026362Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:09.080{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2DF504DF3BB091356104AF1B6553FE,SHA256=D8BE6FF8E02571F61C8C3677E9E53C737CCCE3AD59BB5FC87803BCB385CE1C0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045186Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.349{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B65-6136-F908-00000000F001}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045185Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.349{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045184Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.349{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045183Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.349{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045182Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.349{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045181Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.349{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1B65-6136-F908-00000000F001}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045180Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.349{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B65-6136-F908-00000000F001}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045179Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.350{323FE7D8-1B65-6136-F908-00000000F001}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045178Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:09.050{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=115F4196EBFF391F81F5134AD1D31831,SHA256=A3B3A5FBB79C078AEE2E7AD87933E5FA353CA124BB12E35BDCA75EACAE43E418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045198Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:10.488{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDC7E48C5D48A2FFDC237056F82851D,SHA256=C304F28C88E411BE50D478FA20E63DD241D645F70081BB0E2E25EBF5E7DF7F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026377Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:10.143{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EBB4B335554A50C2F82B493A3F950D5,SHA256=68F6C53DCDEAD0954D82DE95C5E2102AF663FB074827909EF4457F8A40AC5338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026376Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:10.111{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCFC63D60D11DFECE2E1919F46223BB,SHA256=2B131073E2C59849C8BBF2B3212B2459C8D027364A24172C7F82BE32D7735AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045197Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:10.350{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4E8BCEFB907C2505CAED669B89941EF,SHA256=69693231715CB58F3F11CF770782E30BC2C69BCBB15453EF97EB0DD7983A907E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045199Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:11.550{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42230C9B73FFC8AEE90871D45FBCE37,SHA256=2A442F22FEE08CF70FF3A89C24D58C630ACD0AA366493589CFB094E99604747E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026378Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:11.111{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF95A153AFE9F129C2D2DDA9B314E8F,SHA256=DE39CA5939ECF55D4CB95D192299FD2CC1C080389DE6CDD9BEE1909132C58ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045200Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:12.557{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC018DB21B034A92526AF6750CE86E8,SHA256=014A1D393AD13E4F975E3D68383F6FE3F94807805EC96CC09A785C0A611F4C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026379Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:12.143{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222F2DC4711BBB5EB20FC42D7797641A,SHA256=3C57F21A497DEE611DF25975B5D24D8547DF5FC9968E77324FB71F55C9DABA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045202Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:13.574{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B7FC72875DF9F0842078DD3EEB1B9A,SHA256=86F87B93D21A9FDCADD494EDC18C696EDB2D72CCBB2A00918713053075C1ED47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026380Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:13.189{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738BBF206B3CF59D1C7CFACA4C8D25DD,SHA256=0D2D51049A8A5A0CA7F0640D6081436E532D27046FDE9D7720581ECF359953E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045201Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:10.810{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51699-false10.0.1.12-8000- 23542300x800000000000000045203Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:14.587{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA329E7BC3EC951654744851ED91B8C,SHA256=CB0F3437B0CE003EC4CD5F9C11AA4C8AD9347C9419EF834CED0B5386BC6AD156,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026382Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:11.927{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026381Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:14.189{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3825A6ED5B9EF13AF0817DCB817DFE89,SHA256=9C3AFE582D51E0ED3BBB189AADA0BD238B4CE4DADB54DB2BA0FD9196713E53BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045204Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:15.606{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15622578A9B7D25E054D6C150453FE71,SHA256=94A5221437A837EC169CA9394C91BD7624E617BB769F2E9025B4D9C8E6F62826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026383Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:15.205{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC00A6751565A2FA304CDDC93AD11221,SHA256=4A6B7484E382BEEF55F7EF190A1E0CADC37326F90ED3C83654A20EE123B1DE29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045206Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:16.937{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\permissions.sqlite-journalMD5=3A59F1AC86982A5EFE51F86B7B9A3B23,SHA256=1DD4DC2CA72BCD3D2E1159AF176890657286ACA6C39A18213F6FFF8F688C0B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045205Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:16.621{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E8E6E6695EB577C3D6E73FC78B1704,SHA256=28CCFEF01354159FD667E861E22CB6A33097085540701F0C2DCBEC9FAE96EFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026384Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:16.205{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B015C6F42248EF85FEE40C5EBA840F44,SHA256=6DC060635433391BDDCCD74A9E902207F43A82E74A67CBA107CA17AF2DFDDF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045207Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:17.621{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D611AD30F05E5C847C607F39D10DD8,SHA256=0E87FC886918333992828136A22C8AC3812E3C7C03FECD0416D1B97267B214F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026385Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:17.205{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6674022B118EA32757EBFB76525905D0,SHA256=E29A22D2D04A8AC8EC76F6BE21033BB8E3B05A70130871AF24AB1D9E4BF72ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045209Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:18.636{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3F965CF35D8784E2B177818532B49B,SHA256=147B4AFBD09C6BCDDB503BD3232600181163BA2BB2CE0931EE9BAF950EE801C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026386Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:18.221{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9BFC4FA93C2DA4F8B9782C552AE83E,SHA256=DF58457B15AF0CA47CF7689798F6BA809373292E5EA2C0CBF7FC38298510DE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045208Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:16.696{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51700-false10.0.1.12-8000- 23542300x800000000000000045210Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:19.667{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6100F285B3327BEB2F67AA9DF54D7A20,SHA256=2E7DB76BE39F97A7CC54E3C6B4B23D23063ECC49DAA540F92DD7AFBA6201D118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026387Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:19.235{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF7ECD6CF04DD5E04168BEEADF7FD86,SHA256=94375A5F7DD89ECBC6C26A69975DE475CCD7463E57B2174E7F759289411A8D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045211Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:20.684{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D89693074515C502AE69DC31E87C43,SHA256=13D8F47354C5405833DE6D16E0BD08340A9A97F639E9DD01DD637E687E463D84,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026389Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:17.974{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50950-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026388Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:20.235{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD95D5200CCF7C1A18DB233CBA5131D5,SHA256=619EEE1B9A05652175202977D6F46D27BFC58F7002E8EDD9623BFFB71BAF8D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045212Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:21.703{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6613E97B05E3FA6A78005C1979CD977,SHA256=429A3CA30262B1CF1CAE97CBE7F41E9C52E1DDE12D95DF66D7F0789384496339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026391Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:21.634{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-096MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026390Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:21.236{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082491C00426417FCFD4682B8F2D00DC,SHA256=05E19BE2990BDDA420B6F0DF6006A722D74942FFF29D9EF186CE20212A8960E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045213Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:22.718{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24A1BCB33F7AAC71B1F08ECBEBCC7C4,SHA256=CC15BB9B96ACBAD8189732065A42BF1B6D0EE516D4BB6CF11494D61480261505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026393Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:22.617{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-097MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026392Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:22.241{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E56FEFA49957F4BF805CCA96FC7C66,SHA256=9C72F5BCC7FF236C301FBFD8B75513D57E0F04BB8B86E3A03D7D1B12594AA69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045215Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:23.733{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E71F3E1ECA2EB3744C9E78775CD82E4,SHA256=1DA751EBBF58269ACE6A09E83CF4368A1320B9C24A57D5FD1ED59AA36A959AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026394Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:23.242{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F881550BE04719C9A75DFDB29DAB348E,SHA256=43372D26D637D45D0C813B17510B1A9094C776E42D7816673E4343BE69B1B5ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045214Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:21.710{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51701-false10.0.1.12-8000- 23542300x800000000000000045216Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:24.747{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605264C7480D2DC55C10046E5567E821,SHA256=18B17C20025448BDB0E9B0A81BBABEEC901780AA472BF6618B016987337FD083,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026396Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:22.996{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026395Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:24.242{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5C27833E8D386F7CFAC11D7CDED883,SHA256=BBF404B0D24D59DCB6FD7CED7AF3077FA29C119DCF69519823CC7EBC60D96127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045217Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:25.780{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B35F30BA1938390AAA1B0BC273DFC57,SHA256=DF70B377DFD623F72461BA9991CFC07816FADAE2B1FE1B33170B47829E164292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026397Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:25.258{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A81E86ECCF74EDF8E4CBDDA953B5D5,SHA256=654B7458BE39606FBF0905D6980CAAE0154ED804861EFCD62E32286595BEFD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045218Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:26.789{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7951ABF86A677B3DA26DB1E4C462967,SHA256=2E889354FCE4E605FA199BB39A7601EF54557322A5CAA9132B619387EE7E4D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026398Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:26.258{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459C142757A12CB0ED9173AB95AACD6F,SHA256=7BC547259A4B9AAB38262788C955FF73A4F5585E3D1CD1482217042ACA369832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045226Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:27.933{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=B8303BD3F8186E5F24BC0F0EF50A2904,SHA256=EBF3984DF4FCCA140B69808A19081B0AF76721D7311299E846DF2FF0DD7F16D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045225Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:27.917{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045224Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:27.902{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=510614B87B8BF42F0EEAFCD6E9F59168,SHA256=C2C3DE983271993458D4EAFAA74BCBABB9D1CA418A5D1BD1830BA4DFD5C9FEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045223Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:27.886{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8153536F3ED127A4D7786470134AF2FC,SHA256=1255CCE3206C7B212A7200708BA3110C92E97902FC993D7F707F7652C77D5070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026399Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:27.273{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9C279753B93C5C4C28101134FFA3A8,SHA256=CC400C28913B9846D368A0E356644AEA90B849662F8409C7790B2FA9C138C4DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045222Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:27.853{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045221Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:26.215{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-456.attackrange.local51702-false172.217.23.106fra16s45-in-f10.1e100.net443https 354300x800000000000000045220Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:26.214{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local56281- 354300x800000000000000045219Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:26.211{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local52962- 23542300x800000000000000045277Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.963{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3613128EFCBFC6FC349DA20A4302F0B5,SHA256=35CE7CA993FE3281318CE9C2D66839B1E5E8ADCBE3A340F8C8E3E1E1E1BAB0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026400Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:28.289{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F7B018AF376EE81593E7821CC13417,SHA256=D24DD3197EFAE755342BB3EA6DC2120CA8F6E877CAB37B3EAE434409B749BF90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045276Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:26.792{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51703-false10.0.1.12-8000- 23542300x800000000000000045275Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.679{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045274Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.164{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=510DBE6F67223DC5455E6E4154A5ABA1,SHA256=EAE14BE97AEE2D07A23A3873E18A3B36C7B418FB5F7C246D3C545A3DE694CE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045273Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.164{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=74B40F273A6747E9CE65CCBF8271C07D,SHA256=FB4D70D21CBA8D7CB9007D65FA14CD3C9B1174E1C021EEF0E6AADF9ECDBF137C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045272Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.164{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=2B389398AA165211D3266E5FCE7C4A1B,SHA256=D03AED95539ACF458EB2DCFAE019EE36FE15032E585CCE3E27AE6F9C2CE81CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045271Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.164{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=770D1830F8D6205E2C4F4803B793ED47,SHA256=F60ADE0662A50F1FD8DB63072A7334A25B65F787BCB5919D48F5553815DD786A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045270Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.164{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=A22E116730EDC7AF2CCA43F01ED2287B,SHA256=8ABFC97A9A054898114283D995C9CE64B117E7F0341E41A59684A307F14DA4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045269Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.164{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=3618696D4E539F97562A79C98543C1CD,SHA256=6A36AC5E5DD100E661DA8D21E24D4EE9A7F8CBD790B582751AC58AE747372192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045268Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.164{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=431A9D7F2CDFEAC0470A064901787C16,SHA256=2A5C6A47A86FD3D1FC267C287D10236BA97349083E7DFA67022AA99FF126BA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045267Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.148{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=D4EC42A09329AF85B3C9A1C00EA2B908,SHA256=A3F3F2349DE8CA75AD8A464731DC17802A0DDD34BB1E3D4FAE83A674DB613CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045266Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.148{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045265Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.148{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=1904311EF938B38EA7286C04E0773792,SHA256=DF82CCF876F410906794D4550BA321E1D0C8A8B4D046F7EC9410F4468ED90820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045264Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.148{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045263Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.148{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045262Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.148{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=EA7ADA8CF390307773C7AD266E89C670,SHA256=A58D54454D93E8CF6DC5198B3195BCC2F27B2CE9866FE9DADB06B41B88E81183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045261Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.148{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=950D369B39922C02E14BE11599AFFFA1,SHA256=01CCD43065AF0574585E3226F79C6AFEC1DE3E60A6B1A7E503B8BBAD08583FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045260Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.148{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=D975C2D8392953A7DA7F1DD185375FE1,SHA256=11E488D6FCE7849A7504DF67C04ADFCD3AAC3454101ABEA5901B4DB95157855C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045259Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.080{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=510614B87B8BF42F0EEAFCD6E9F59168,SHA256=C2C3DE983271993458D4EAFAA74BCBABB9D1CA418A5D1BD1830BA4DFD5C9FEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045258Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.080{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=DF063A164A56ADD0754C56FA96BCABB9,SHA256=06A123AD84B3FC9151399C3B8FB4E758FF2D420436014A5A2C6226589A59D084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045257Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.080{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=B8303BD3F8186E5F24BC0F0EF50A2904,SHA256=EBF3984DF4FCCA140B69808A19081B0AF76721D7311299E846DF2FF0DD7F16D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045256Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.080{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045255Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.080{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=5ACD66DB29AFABE23566110E44DBD5E7,SHA256=AD73B565DED09760945E8AC426CD4D16C8DEB3C202E8ABAD356EABF62137D2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045254Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.080{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=D7A237BC18BD7BCC8504A75F767AC11D,SHA256=C36DC7861543E543B8D3452F17B05A56F43826F76B34B0EFC270F234DCF49BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045253Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=3286C34A39F5CB9919A76C17E9385B41,SHA256=D68F954A7DB02364EC0E71ECEDEB10A09D189E4542D9EF54576ABF92CB031A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045252Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045251Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5F83B0D6BA161602017AC27A96F3705B,SHA256=DB679CA27EE3FD9899E5DEF0384A3722FD19F4A23D8F35CDE1F3482E9642886E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045250Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045249Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045248Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045247Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045246Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045245Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045244Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=D3C79EEBD1FBF04B25D7E0D89796A366,SHA256=77CBCDF1F4FBF279888EF690AB6537A37271904F49F10A6B547B50CFB0A04A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045243Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1122B8CAA1EE6AFCC8D9C705810B59DA,SHA256=389FB0D336133EEE3F98D97A725786A1191EE0E2BE2AE16458198724EB16DAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045242Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045241Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045240Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045239Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045238Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0A118F84489D0336500BA7AA28EEC3DB,SHA256=80CDBD62FAC86A30E13F3CAA31D8DC1BBFA458FF093CA3113DCF17FA09204493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045237Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=7108E87CAD9A9187F04E0DB62EE11BA2,SHA256=D3E981266944DC3516502147A13554BB1F413120FFB119EF7191073704AEBDE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045236Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.048{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=12C155DD5E881352A0ACA1597315E4B4,SHA256=5EFE168A26228F9557DB8EEF6F128E6F2BC3CFCDBAAC5F1E54CA97980170DD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045235Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.033{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E03E73D5F6ECD4CD32C3DC29D718D0CD,SHA256=E0EECABA3B9EF2ED989A88F166FBD18E87DCAE59C51EC0C8615EB181CDBD6875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045234Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.033{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=9029D6F8F6B542F8CC8BED031A868332,SHA256=B779ED2DDA6A823FC2E108105D90A5012357F0082973C164F86D95AED6E16573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045233Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.033{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=98E577C148A61351966CCDC96A865C91,SHA256=2A6127C1960DFB83F8F6D0B6EF099120B1BD858E432B56E7CA14F34B6986D989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045232Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.033{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045231Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.033{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045230Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.033{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=3A16652F3D7E909EEFB688780FB23DFB,SHA256=77E575221C7FB694A4D9FD39B1563AF193D1A6AF22C18DCFC77BB992B19B2BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045229Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.033{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E4AD5A04A5C7E1E2D01F8AD2F766BB15,SHA256=59DBC09166E7BA59B5CB02DF109991B71AD70418BA45595A9536A4758A630226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045228Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.017{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=3286C34A39F5CB9919A76C17E9385B41,SHA256=D68F954A7DB02364EC0E71ECEDEB10A09D189E4542D9EF54576ABF92CB031A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045227Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:28.001{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\c5ep525d.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045279Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:29.978{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00183F96276830151A9A1406ED8BA3D,SHA256=7B1E289CFFD2CA57F0DE836E370605B1DE5448B1C3DB0DAE6264BBAAA897D63E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026401Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:29.305{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BA120CB0391A501A6D0FE8AF89E250,SHA256=B666B1B9474E6ABDF720F682D6BA87D385D3A6139B4846F56E569D6E03F49996,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045278Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:27.292{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local60261- 354300x800000000000000026403Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:28.918{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50952-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026402Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:30.320{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A855E39761224DBCE25215B6F81A920,SHA256=9AF9964A64B556124F9FB9BE0C4F4706CF69A212BCDA4C623F82E55AFAF477C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045280Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:30.299{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026404Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:31.320{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027D738D6259CA3822A324371414E04F,SHA256=7CEC8B909691A7A355F58DCA3ED91C0014731A9DEDABAD3662BE89B597047017,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045282Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:29.885{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51704-false10.0.1.12-8089- 23542300x800000000000000045281Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:31.015{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE8297E2B6F98BE009DB434B85C51B5,SHA256=54FDE5F843F57F6BE2315D2D8CCA21FA4EE17E12733B11908BA9355BA694BC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026405Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:32.320{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE473AB106A6D0CBB68F881DEF12225,SHA256=AE077E9D145D54B31C273CF40598F3726A680779BEBEEBA17F20158E60E50E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045283Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:32.045{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F831267DD862AFE54964547E0BAF4FDD,SHA256=587B594DA2E12566A52630EDEC9B77AF8D478235A7BC29BA1FC1C705A258B2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026406Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:33.320{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261982D3A0167552AC799AA929720112,SHA256=7724932C20ED7B897B0AB3CD36F682AC80A0B410AA90431403A2A04613BABCDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045285Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:33.295{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-104MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045284Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:33.045{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EFF7435BD7BC46B785170E9FDE63BC,SHA256=F262EC3AB948179B1E64FC2D2A4EEE789C450AE5B08AEF1A85480BFFE3BB7FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026407Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:34.320{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA17F72B6D14234635D634D89DA2BCF,SHA256=48A6323F3D9CF8366FDD9B8405B90F6E6172CBCF7EDB530D80743F1E6352767E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000045297Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:34.513{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000045296Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:34.513{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0062f35c) 13241300x800000000000000045295Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:34.513{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31d-0x1526a196) 13241300x800000000000000045294Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:34.513{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a325-0x76eb0996) 13241300x800000000000000045293Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:34.513{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32d-0xd8af7196) 13241300x800000000000000045292Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:34.513{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000045291Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:34.513{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0062f35c) 13241300x800000000000000045290Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:34.513{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31d-0x1526a196) 13241300x800000000000000045289Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:34.513{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a325-0x76eb0996) 13241300x800000000000000045288Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:45:34.513{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32d-0xd8af7196) 23542300x800000000000000045287Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:34.314{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045286Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:34.076{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DFF6AE6B47181C970A8A7427C87F37,SHA256=CAACA3237D41CC5FC9E317E3190C8CCBC6C30929213AB48303038FFDA92EC0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026408Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:35.320{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0E66699039A8C3DF298A9D51FEFDAF,SHA256=C775B2226E13A966665E08D24580EACBF62DC95775ED051AB84948066EA6333F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045299Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:35.097{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A98EE9805A63709C79D98C8CD07C2F4,SHA256=0702DA5CD17A6C3E3EA2A8C8EF361933B764325F040F5E41753505268A11D159,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045298Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:32.737{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51705-false10.0.1.12-8000- 23542300x800000000000000026410Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:36.320{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBEF6997F4432383934F5FA19CCC88B,SHA256=4B012DFEA6417558ED1B4AE9262D04642816C31FDD77FF6B87B1A8E1484E3330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045301Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:36.259{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=50E7FC03F9284C3B678E06A9318B1F98,SHA256=EF68DD48E950F3A301CBBC4D7D79BF0DFBDBABE8F3925BFBE981333E3A5E49C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045300Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:36.112{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35145F4372CD389C3F16BC08AC879EBE,SHA256=24E0625FF9FAF8F6639C6E070D51C601BF4CFA8F8F7715F050C64721F20E5284,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026409Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:33.964{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50953-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026411Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:37.336{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF95035EC5FE8C71239273BD2E4F6B5,SHA256=83799AB3B2A95928F6E0D8A90850BA27F75B507C1B65201336950642D5B82D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045302Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:37.127{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F3F385CF9A3011E3001435FCCD7CB2,SHA256=FC3902B4C4378B172F01CD06505303576A1C3F904677EC338E7CF52E46574481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026412Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:38.336{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5900213F33754D977BD27C80419386EE,SHA256=9263C25A23DBE9BDCAFE80B1EA0637D3378419371D59C8189ADE3BF32BCABBEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045304Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.994{323FE7D8-022C-6136-0B00-00000000F001}6245660C:\Windows\system32\lsass.exe{323FE7D8-022A-6136-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000045303Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.142{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB35AFE812B8EE6BF9615194634CD07E,SHA256=CCB203339BD45FD16DE693FD517B911C7B82407C56D59EFDF3488613AF6B6FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026413Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:39.348{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E41E2F42338A9DDDFE650447D9B8EB8C,SHA256=B92600432A7B8DFE1A20B96E33DBCE9E12F2B4FD3A3876AEAC290AD786D05316,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045308Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:37.765{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51706-false10.0.1.12-8000- 23542300x800000000000000045307Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:39.888{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDBE8AA1D43D469BB972C89E758C2445,SHA256=DB3BA88E377A24CC29303955596CA9562D2D6B875F95BBC1CE78EE0972CBFB8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045306Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:39.873{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51A79C5F70558C724D8ED79177061FE7,SHA256=932D65A8EB9BEE7BAABC239923D8D5FEDA5D480188E491D2D0884EF96A4395A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045305Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:39.157{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6240BA4153FDEB4BD66FDD7CF9CD5998,SHA256=71779900FE5FC24E08CADC170ADBD33061F420C1DFAE0C353A1FF8E0E8AC255B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026415Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:39.055{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50954-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026414Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:40.364{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BE72518882215A3144DB4FA10DD3BF,SHA256=F6C4CD5F7E369089F9E3D9A8ABE12846C0A271312EE6C8E1819F7E47F41F69B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045319Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.587{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51711-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000045318Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.587{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51711-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000045317Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.584{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51710-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local49666- 354300x800000000000000045316Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.584{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51710-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local49666- 354300x800000000000000045315Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.583{323FE7D8-022E-6136-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51709-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000045314Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.583{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51709-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000045313Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.480{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-456.attackrange.local51708-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000045312Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.480{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51708-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000045311Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.467{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51707-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000045310Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:38.467{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51707-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 23542300x800000000000000045309Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:40.172{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3349526697E38157A4FF3CFFAD06DA,SHA256=17273BB43FF2C80F0F22840BB939FE3436136C72736FE2B6D6AFAE16B370204A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026416Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:41.364{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DEC3154BD3D6C8CD397696BD848428,SHA256=927B9B4DBE7114C29899559BFD22B1F25371B7402E0182ADF836FC0A37166D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045320Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:41.193{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336D15231DB780EA2463CF25DBC1473C,SHA256=A3873E75F375FD84AC013DF543743DF6DF328E7238109372B6322C5E28E377DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026417Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:42.364{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE634FDF15875A8D95C2E696B6ADEE44,SHA256=CD33FC33AEB8E7D84AAA145F80185812F971D2E911C8DACAEB9757A35AED5D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045321Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:42.209{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5506230EE41AA6F52C55671A2358A317,SHA256=C1092FD2828FC152A39148D00F13C667B1D1F3332F82DB1A2F18F4A1FB337662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045322Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:43.239{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DD9556BB50802D53EA4B71E71A8A54,SHA256=E59AE61D38A6C8F194A2823D186DB74060EBA718445D076C3AA6EF65D2707840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026418Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:43.379{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FE878249D7F69F7256BD93EEC3DABB,SHA256=365CE980D3154FBB82E5DCFB8E0688C56148472EB0D039999AD4732DB4DBD8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026419Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:44.379{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1174A46C63A441BA258530E327F7BBA1,SHA256=78E28354119D35B944FB5375429A2BA93D816714C72D3A9085412C5D4005BBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045323Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:44.254{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234E7960897DE84444F76369D7E43108,SHA256=8CAF853DFF9EAF5244831768CA5EA0B2B84CD640D4533DCCBB8A5AC17CCFD651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026420Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:45.395{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D4BC228D5114562F2AAD89E9E0A33B,SHA256=118027518A4D8D43E2109D5E970390C89A434D193D4A26C99B174A85A7A964C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045325Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:45.269{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A591E944DAD7681A4650296ED461A0E,SHA256=3E3FEF6DC3CD441472454227EE264FC0A0F553F583024F0B263053F9E1CD85A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045324Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:42.831{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51712-false10.0.1.12-8000- 23542300x800000000000000026421Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:46.411{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8AF8E23B97419C73A34E2BCCF3FB09,SHA256=AF5231A268485C88DB643D7C3E90496D12B39D4437E283B522CC3B55AB6105A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045326Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:46.287{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4191761ACA6369DE90327DA9F4A2375F,SHA256=D775DA78546A5532DD9CC96612208B84948DA2A75E2C216340788D5B5BB7D71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045327Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:47.306{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827D195636FF9942B5D7D2433DAEC0EE,SHA256=4122AA554833EB5FF73987DA8CD79B82288E053F4C8EA895A8164C59270F0946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026423Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:47.426{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBD50B1E1DC58952ABA39EA32F96B70,SHA256=81BAD2992BCDFB2A27DEE765A5EFBFF917B3B8A6F789A6EAC12A12BF70B372C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026422Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:44.914{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50955-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045328Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:48.321{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6844CA7A600A82848CBFA4FE1556FF,SHA256=98490504110DF105F542CFC3B96EA7F1C7254637CE124722ED463DAD6B46C341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026424Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:48.426{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D6A8B2F1034FE02E63211966E2EAE7,SHA256=F7246E306AB4B3288A52E009CAFBEFD2097E7A00C578181BCD066B7572EA9079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026425Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:49.426{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275571EB7F599E79F91B210DDF29EA19,SHA256=643474D54D956A126A80B247FB3AF6449667A55A0C4031A0B5232B4A5294A475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045329Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:49.336{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2F30F224CF4A106DBD69B33116184E,SHA256=38A12120E76A522649FCFA36B7E75E1653C106004DA9FFC6D8A8092D711CE1AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026426Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:50.426{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE91FB2D130419306A9651A2FB4401B,SHA256=CC4EC2D49921CFC68C0EA506B868F6D4D1172547DF56DAAE735E0C035030E86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045333Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:50.719{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BAC7E7297397153BAA58BEFDCB8014A,SHA256=D7358D55BDBEA865C2350320ECDD1A1A6B083453185CBC9CF5A7FE786AA5011E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045332Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:50.719{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDBE8AA1D43D469BB972C89E758C2445,SHA256=DB3BA88E377A24CC29303955596CA9562D2D6B875F95BBC1CE78EE0972CBFB8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045331Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:50.350{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004E4A341ED22BD9D314E41B516A5BA9,SHA256=562CACE6FBB7A408F198F5958B2223F127B4B345936E9585D3FBBBDFFF3D85B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045330Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:48.627{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51713-false10.0.1.12-8000- 23542300x800000000000000026428Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:51.629{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FE9BC2713D516EA9522EC8EBE514F290,SHA256=1A64C40BE803F9ACC507DE12E613A9D32DAE50C2A74D7DF4F3E8BFF2CD17D041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026427Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:51.442{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FF16109277BFBB3F46E0F3E9A69BCE,SHA256=DC5A926D829AE9C6CBC9633A9BAD264D395C9D2C2F5D2E4FD629A8534091F238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045334Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:51.365{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94A2113CDF516A19C7DB42A99A499AC,SHA256=AD81CCE81224FE89BCA0E7F07C862947620E53972B47C7C6065DF87CDC5DCF20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026430Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:52.442{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF5700CF60E2F62C42AF4D1776D459A,SHA256=25A38FC3B4319AEC3EE79362DB93FE843EF7440F5B65A36AF72971E31D0325D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045335Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:52.368{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A82AD011B9D84E2F572E6E635A1E16,SHA256=76B072AAA0FA342A5427D56CCF1384B80AA21CFC35A11966AE87897AEEF0CD5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026429Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:50.102{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50956-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026431Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:53.442{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F893DC2DA75EB96FAC9D6C31EB36EF28,SHA256=A45336D4DE81828BDF800063774FDFFC9E804324880C69F096A8312461B4B246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045336Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:53.386{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94A84E60918FF506819F643282B1A19,SHA256=764D18CF34B743F4C05A9CD8479D91D99EAECEB9B322F13BD98E3FF814BB095F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026432Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:54.442{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70EE45B1E0505F7423BAA512E99B3F5,SHA256=DA36B0106E0957B4A8956A1818B94BA27CCD6EA6BD66B181EDAD494B989079D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045337Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:54.405{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757EF1F1907272A218687805B91F0C3A,SHA256=D2FA6A73DB33E01794CA8908260BF0DA184D4051CF43340200377ADFDF8FF058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026435Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:55.771{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5E9C885B108F8AFC704C435B00E1DFFC,SHA256=7E9136F64CCD2DF7C24BF2456E519C8667DE7F39070E18527495C21C307196B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026434Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:55.771{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=52D02EAECF72729AE97352AC370416B7,SHA256=AE81612F928630C7FAAE21AF26AC58170495730C3317CE4B27B330A0502B434E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026433Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:55.443{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E67CF440473894F52CA40EE9660D909,SHA256=DDCCF6E9AE50844F3EB108C2E1E85D890B46AD38AF2623F3B5316AE82D56B200,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045339Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:53.628{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51714-false10.0.1.12-8000- 23542300x800000000000000045338Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:55.421{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F4380F0C8A2726ECBBC488A53F48F3,SHA256=A38FA33984856AA3C2FDF5C32D5FF48D0A6E25F96343BA1018DDB1E24DE4850E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026436Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:56.443{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639F1D77B841FD2535DFC2EEC5FB3D78,SHA256=6EA1CE0A66DF6236091FB1A64F4E49BA0C0A10EBFE5CDA15075C6FA323B6E120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045340Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:56.436{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884B86726E5C286C0B155C20D0C18D1B,SHA256=7EC7F55D8EF7199B81D9E882D47FC105421320F9990F633549F1E3B9B9BFDA0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026438Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:55.869{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50957-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026437Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:57.459{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA1003FD40D94F70C2AACD15A635A56,SHA256=23EF764D6FF46004E58465880C4679F918F9A66CFF489613052D0A47D50F4068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045341Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:57.451{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEA7C0D3D055C839B402C2A14212510,SHA256=7F50E6957E92C86967684EEB119B94274B01D9C676E4667E5B9C6A2B82B1D0B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026439Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:58.474{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617C6DA614A6E192C930076252DFA2FD,SHA256=3137372421F912B01CB279619F30F1CBC2780C9D5DB8625A1D12AB5BA72C3479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045342Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:58.519{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28329024FAD6C97DF201A07C63F15381,SHA256=2A5C8860EFE88069FF4BDDB6FBF57C421B3DDB35D37EBBDEFB4B13A8C4AFE46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045343Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:59.550{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB711CC3D33796F0EAA9483A064D0B3,SHA256=D98CA55504F6E76EC183D8B061D91A4DC611423D83AD185BC4C407D0773E9AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026440Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:45:59.477{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F39BB1F4FB9ABF8D6450ECBABC31EC,SHA256=C8A4E200D4A8906A980D8422E468DF1ACF3789FDE05DF6BD130EF58DF30E7161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045344Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:00.565{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECF0FE1C2BA61DFE7C2E7FD9328490A,SHA256=0455C3223EBCB3A028DCE8E3B6A42A97D2D7D1A2CB9C31AB938E3D3CDFFB6A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026441Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:00.477{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2DF0CE97135E49C0286FF9FA09BBAE,SHA256=10A6C2F7B1BBC8C0F09BE39C19449D0EECC46E6BB66DB9E290900F43B015AC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026442Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:01.493{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87061E6A0D9E467774C19353B3D8648B,SHA256=3E3918511D22210C145BB0549F8812C2BFCDF3BC0412E8EF996E464C524781BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045382Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045381Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045380Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045379Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045378Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045377Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045376Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045375Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045374Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045373Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045372Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045371Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045370Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045369Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045368Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045367Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045366Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045365Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045364Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045363Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045362Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045361Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045360Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045359Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045358Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045357Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045356Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045355Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045354Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045353Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045352Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045351Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045350Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045349Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045348Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045347Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045346Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.733{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045345Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:01.582{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C82FD651C87DE324509D14D4402023E,SHA256=DDE17E9BB5DBADE9E61B35D3868C69DA37FDCB8416ACB3B2CD3DE010EFB0D930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026444Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:02.493{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA737FB6183541F8CCD548386BC768B7,SHA256=98D6F900AFCB564A26F2ACD6DC40C3C199F022707AA2652FFFDD52AE10F1E564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045384Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:02.702{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114EF722612260BEE0D6AD169B199811,SHA256=8344BD59F7DAFEBED47D56B3A12DC8DF027354EC184F3E6942F4D33EF1C6ACE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026443Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:00.888{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045383Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:45:59.625{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51715-false10.0.1.12-8000- 23542300x800000000000000045385Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:03.717{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0496390C72174E651B3BEA62CC701AAF,SHA256=D09795D5EA6EBB3F2222ABF06D96788D99912FF797C39855CBC523016A5BA010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026445Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:03.508{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEBA6D46A23A88BB3A49A4AA780AB7F,SHA256=01B53446FFCDECEA936A5CE2AEC49F62C9A51923BD40F3FF39E090CCDE55BE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026446Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:04.508{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AE8972EA2EF2B6E75639AC6AA1D673,SHA256=2A31896E398BC8BAE0A3AA376633E1A52FF3911A93DBE9B94F767AC181424334,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045395Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:04.748{323FE7D8-1B9C-6136-FB08-00000000F001}26285928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045394Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:04.717{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0899DDE9A7F414D92E40942C1371B0AF,SHA256=3621D91A0CAD38423B772B28DA7F09181B9FE1C6510BC536CB9BD2A33635341B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045393Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:04.485{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B9C-6136-FB08-00000000F001}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045392Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:04.482{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045391Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:04.481{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045390Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:04.481{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045389Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:04.481{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045388Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:04.481{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1B9C-6136-FB08-00000000F001}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045387Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:04.480{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B9C-6136-FB08-00000000F001}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045386Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:04.480{323FE7D8-1B9C-6136-FB08-00000000F001}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045414Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.800{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B9D-6136-FD08-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045413Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.800{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045412Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.800{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045411Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.800{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045410Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.800{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045409Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.800{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1B9D-6136-FD08-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045408Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.800{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B9D-6136-FD08-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045407Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.801{323FE7D8-1B9D-6136-FD08-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045406Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.731{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3DAA5C245BBBBBDDF0DA8422390FA4,SHA256=A87811311933B5B2067D096B1CB2DE9ABD55F538D31B0B31B9444FCD3312D0ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026475Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.930{FFF7FB96-1B9D-6136-7506-00000000F101}40121032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026474Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.821{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026473Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B9D-6136-7506-00000000F101}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026472Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026471Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026470Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026469Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026468Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026467Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026466Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026465Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026464Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026463Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1B9D-6136-7506-00000000F101}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026462Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.758{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B9D-6136-7506-00000000F101}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026461Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.759{FFF7FB96-1B9D-6136-7506-00000000F101}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026460Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.524{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C634D2EF54A4980DE81673FEB0CD4231,SHA256=0C09695FC2223A387377C3DB25947E95D474741F46C350765D88271B3855CE0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026459Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B9D-6136-7406-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026458Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026457Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026456Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026455Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026454Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026453Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026452Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026451Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026450Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026449Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1B9D-6136-7406-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026448Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.086{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B9D-6136-7406-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026447Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.087{FFF7FB96-1B9D-6136-7406-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045405Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.500{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E9452A48654673E16959BE060C69C7E,SHA256=A21429C16F9F2A460B345A19CA5716AAAC12723B159E23679E2AB6E906F915E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045404Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.500{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BAC7E7297397153BAA58BEFDCB8014A,SHA256=D7358D55BDBEA865C2350320ECDD1A1A6B083453185CBC9CF5A7FE786AA5011E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045403Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.148{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1B9D-6136-FC08-00000000F001}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045402Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.148{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045401Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.148{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045400Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.148{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045399Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.148{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045398Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.148{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1B9D-6136-FC08-00000000F001}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045397Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.148{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1B9D-6136-FC08-00000000F001}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045396Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.149{323FE7D8-1B9D-6136-FC08-00000000F001}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045416Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:06.746{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD523A1C25D7DE503E0EDF4DDE09865F,SHA256=B402E9C86E3571E1B50D7C2E3786840DF7C4786177129D2B32F5806EBD1862B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026491Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.774{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F372FA2EA66F68CC3013F3FDBEE6B3A7,SHA256=D69FFB6C0D6CB7962B4A9675DB704D9240D8392CD230C4FC4428C9301C912C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045415Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:06.682{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E9452A48654673E16959BE060C69C7E,SHA256=A21429C16F9F2A460B345A19CA5716AAAC12723B159E23679E2AB6E906F915E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026490Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B9E-6136-7606-00000000F101}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026489Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026488Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026487Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026486Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026485Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026484Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026483Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026482Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026481Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026480Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1B9E-6136-7606-00000000F101}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026479Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.430{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B9E-6136-7606-00000000F101}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026478Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.431{FFF7FB96-1B9E-6136-7606-00000000F101}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026477Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.086{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75F3EA50838CF585A8F6D634332BD6C5,SHA256=E28DB2E68C860E0C31CEF7CFE34EE9CB0BEBD4B4951E404DF1A331FE4A518B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026476Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.086{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CCD27B77449932C4C8057BFD1D95D93,SHA256=FE380E417E39798EEE359DB58A89F16EA6EDFBECDFA31666B3E3ADE88781A56B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045420Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.670{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51717-false10.0.1.12-8000- 354300x800000000000000045419Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.223{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51716-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000045418Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:05.223{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51716-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000045417Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:07.761{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCABD541E9D49B6797FF6DE17A8B4E8,SHA256=0627803A8CC91C63E1D8ABC41E9E1ECD298E54241C97E29B2809C7C875EFC71C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026521Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B9F-6136-7806-00000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026520Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026519Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026518Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026517Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026516Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026515Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026514Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026513Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026512Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026511Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1B9F-6136-7806-00000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026510Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.914{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B9F-6136-7806-00000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026509Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.916{FFF7FB96-1B9F-6136-7806-00000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026508Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.836{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CEA2458656DE8AFF51ED3A674524D4,SHA256=F9CB4D6D04A16578E930A412B54F1A18AF834BC592EBEF7228E0442A4DD47FE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026507Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:05.655{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50959-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000026506Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.446{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75F3EA50838CF585A8F6D634332BD6C5,SHA256=E28DB2E68C860E0C31CEF7CFE34EE9CB0BEBD4B4951E404DF1A331FE4A518B90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026505Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.383{FFF7FB96-1B9F-6136-7706-00000000F101}900904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026504Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1B9F-6136-7706-00000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026503Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026502Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026501Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026500Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026499Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026498Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026497Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026496Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026495Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026494Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1B9F-6136-7706-00000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026493Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.258{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1B9F-6136-7706-00000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026492Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:07.259{FFF7FB96-1B9F-6136-7706-00000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045439Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.861{323FE7D8-1BA0-6136-FF08-00000000F001}61804988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045438Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.761{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866B055F085395CC85E0423112CBB648,SHA256=8489BC4FFBE1524EE1C7D480BFB42E9D0762DA9B83CBAEBAF191C2D7B6F21624,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045437Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.682{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BA0-6136-FF08-00000000F001}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045436Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.680{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045435Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.680{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045434Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.679{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045433Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.679{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1BA0-6136-FF08-00000000F001}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045432Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.679{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045431Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.679{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BA0-6136-FF08-00000000F001}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045430Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.678{323FE7D8-1BA0-6136-FF08-00000000F001}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045429Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.263{323FE7D8-1BA0-6136-FE08-00000000F001}46686380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045428Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.014{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BA0-6136-FE08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045427Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.014{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045426Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.014{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045425Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.014{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045424Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.014{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045423Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.014{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1BA0-6136-FE08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045422Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.014{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BA0-6136-FE08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045421Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:08.015{323FE7D8-1BA0-6136-FE08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026535Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1BA0-6136-7906-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026534Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026533Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026532Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026531Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026530Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026529Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026528Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026527Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026526Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026525Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1BA0-6136-7906-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026524Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.586{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1BA0-6136-7906-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026523Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.587{FFF7FB96-1BA0-6136-7906-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026522Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:08.102{FFF7FB96-1B9F-6136-7806-00000000F101}9562392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045450Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.783{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F97DFCD44E9F454C92787AE07B6870,SHA256=3293BF493CA8EC967E55BFD70E83EDE08DCE53B41014641C5D698DF09C888685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045449Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.546{323FE7D8-1BA1-6136-0009-00000000F001}33845924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045448Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.362{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BA1-6136-0009-00000000F001}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045447Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.362{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045446Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.362{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045445Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.362{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045444Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.362{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045443Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.362{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1BA1-6136-0009-00000000F001}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045442Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.362{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BA1-6136-0009-00000000F001}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045441Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.363{323FE7D8-1BA1-6136-0009-00000000F001}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045440Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:09.015{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB218DB5E05628B010290CF092331D25,SHA256=181F4AD039DEBF11BF3B17BA62A00FE036410A5806C9199BA7CE358A4D76A5A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026552Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:06.918{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50960-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000026551Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.430{FFF7FB96-1BA1-6136-7A06-00000000F101}32603680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026550Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1BA1-6136-7A06-00000000F101}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026549Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026548Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026547Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026546Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026545Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026544Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026543Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026542Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026541Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026540Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1BA1-6136-7A06-00000000F101}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026539Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.258{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1BA1-6136-7A06-00000000F101}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026538Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.259{FFF7FB96-1BA1-6136-7A06-00000000F101}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026537Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.055{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08391D2E2B83C90A63B1A0A40C5A1796,SHA256=90389A2F0F8EAAA1ECB79E72918EF7FF6E2E83F4B07963D02203F862192377F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026536Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:09.055{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=630556ACB0B2ED248AA791D34239E530,SHA256=DCF7F1289166752564C0F22C960DF794EBA88D2F8962BD33B1AB508076A34881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045460Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:10.815{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8DB44C181BA9FCE54DD4AAA0E6C0C6,SHA256=98469F1F1126C3F4D22776AE82B8DE3662BD3EADFA584FBF6E26E84B02506871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026554Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:10.258{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3071C4BB046AA52914FF5988BBB334CA,SHA256=A9D41D24E4A71A23BFDC108DF17992E2358AF48CBA2CA839A4D64490EB15BD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026553Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:10.133{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9711792341365ABBBB7F58F6634013D,SHA256=89820372BB3FF2FCE1099F7B1782C49C35753461664429498E6697A8C1A8A8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045459Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:10.399{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CEBF1A13C32955B34C5DF6F913A1AA2,SHA256=65EDD85F3F7712953C0726B80E60897429A4F496BD0A91DCCF6FAAB5C6CAE5F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045458Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:10.030{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BA2-6136-0109-00000000F001}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045457Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:10.030{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045456Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:10.030{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045455Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:10.030{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045454Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:10.030{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045453Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:10.030{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1BA2-6136-0109-00000000F001}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045452Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:10.030{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BA2-6136-0109-00000000F001}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045451Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:10.031{323FE7D8-1BA2-6136-0109-00000000F001}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045461Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:11.829{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79272B59C5E940D8D522B982E5EB43B,SHA256=9CB048416B40F52C2C53F78C96FAB7AFC6A8507958B5913D5F6A20208FB235EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026555Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:11.181{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F4F93981B29C92CFEF155689044582,SHA256=4DCE0632C2F0DCB42DF2A4AF45F50024615B36CAF6C0368B2256720997580E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045462Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:12.844{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A066D928C763CF9DFB5D1B288AE7313C,SHA256=337E06E09AAF3622E20060AF4F815995E35B21E19D8090CA0F659B73DFFFDCAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026556Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:12.196{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6DF81AF420E1A3208027125AC78EA4,SHA256=4DA6E999C8C226AACED118F231BF45683F95FE8E0009F90959D68D00366FBD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045464Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:13.845{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2BDAAEE9B63796B1834C894BDC82F3,SHA256=EA6187752F2442509DC35657F33822F11C537C1491B51BE063ACE2071315A5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026557Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:13.227{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0560998B9603015DF685FAAFE9452B10,SHA256=E3AE78A2667DD4158BDB3989111756FC60AE8F9DD546F717412579B1E7A1CCFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045463Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:11.705{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51718-false10.0.1.12-8000- 23542300x800000000000000045465Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:14.860{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F81A6A9D6997B3A966BE4571C5F3581,SHA256=3A6D1AAEE08EE3D2A418BDEF3AAC76A6FFA393BAE2EBA94FD7B920175F65B37A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026559Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:12.918{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50961-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026558Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:14.289{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB06188DBBE107B800511AE2DA46719,SHA256=DE161045EC758F36DB57BF73DDE72E63E1FBE6A2222FEA37B607F6EBF3D79232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045466Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:15.876{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BBA078CFEB6DA4FC21BE6D2B233D4E,SHA256=4C6D4A963A5D33D206132DF8F949296FC5100D3038F563469E490DAE64D9CF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026560Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:15.320{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3576E4F989F61AFAC8F13BECFEEA9F,SHA256=08D467973612C45CC1B4534E4BEFAF16E3C11B496DA70285CC9CFE8AC5C8A424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045467Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:16.896{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF20668315DD78B4CF3A7662ACE2EC0D,SHA256=7B4B9E68CC8D9A010D796B62E8056B8916418CB9BECF53A213636F1828437319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026561Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:16.336{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22F4AE09E48FCA818A98FAE23AD4C4A,SHA256=B01CB7BDAC299932255D2C59EE79BBA49ED51ED447579299D9515C6E789A99A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045468Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:17.911{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21C6A869A0F7790C2702E9AB3631BB6,SHA256=BDF402A94DB327AF2CFA8DFE5B2F5395C38363FCC68251498DF1E157E3E4D46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026562Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:17.352{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123F4C6639FC4E293B1921867C369969,SHA256=889A7BB5E0B34F2F792F19B6B716EB0D3A44F034458C3C1C3D37282AD08E4A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045469Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:18.926{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579902265171A3C0BD03DCD1D16A7389,SHA256=385E05AE9CF0C86C99EC5A5B7F155BBF8E53F40BCED3B831B2734E3381298E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026563Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:18.383{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DA6553ED6DA5726BF6365B0ED95911,SHA256=8D6C2097F5B6E35B9A7200BA51DDB68DD56E95B5CEFCBC1E018F89B77C0FBEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045471Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:19.941{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95C56D84CD4FED19777AD76944D67EA,SHA256=F0825C7C4779E05389BA37B0ABCBF8BF94BB48F8ABCB2A93A2E263FBC7A09ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026564Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:19.390{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55ECA9BFC38C6464F97266F622989C2F,SHA256=C8E8D429C9CD1225C25DDBB720667ACD2787C286A958F5E05D6C19935883F9E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045470Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:16.849{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51719-false10.0.1.12-8000- 23542300x800000000000000045472Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:20.974{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26E7710267801776ED8E47BCB4783B1,SHA256=6BE6183A7E0D8AF7076E26BCAA040146545B8616AC5BC34E50C504742761A942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026565Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:20.390{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE3249889EB52A2B118597347A0D241,SHA256=579F08A33E3707D53AC2E77FFC08930813D63F6121DA2C83DF4F3463ABE5B45E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045473Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:21.993{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065162961F11269404967325D0744F86,SHA256=B26CDD362960617F511613D1ED3C6FD2DAE88A79F24ED61C4DEA7829589752E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026567Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:21.405{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811CA9325DD60AFC24F389B1A297A95E,SHA256=685B063F1E47F19D207397A9ECCAD028139C824E4178B45372ED201BED2DF41A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026566Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:18.941{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50962-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026568Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:22.421{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DD136599D488D51E336C684BA48011,SHA256=B4A8C7DE1EE2D501C7DEF36D689DEA4B3353D989B2D655F1A99EF36C0C388496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026570Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:23.436{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6817BDF7BC97B30258FE6D99037BEEA,SHA256=445920F03433212BE2E9B5D0A744596924B618107CD443C83600E19E52829B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045474Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:23.002{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5F87869A050344BA66747EF6D7BF3C,SHA256=B40FC791D529C75388D961C4673F3CFE42E896099DF3D16569CB97AE53F58A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026569Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:23.143{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-097MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026572Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:24.449{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC708685C76EC9391A0D0E7B05161DE,SHA256=ED75F62EFCB829F810964AB6AD47F90155FF2A420C2AA981A484AF82F5BE76CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045476Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:22.610{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51720-false10.0.1.12-8000- 23542300x800000000000000045475Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:24.033{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39EB077B9A8863A6246AF36F1592AB7,SHA256=44FF97A1D6310E23053B0D3ECCC26378416F6337878989020DD76BCFAFFFAFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026571Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:24.156{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-098MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026573Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:25.452{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE00DF7E5BDC040033B783AB515F9C58,SHA256=B68427759F4F978B264A23C3CE892B9B3435E9F05B49E58ED663BF393FFE12E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045477Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:25.033{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0D03EB6B887463B29513470C96743A,SHA256=3A42F029FD36DCBC8227616B8ECF1B7B2C11F8FDE683DA7A9B3B34B1A87B8EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026574Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:26.467{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24040CFCB9F16E8B079D0773333F955F,SHA256=3908BFA7B5B14E87E3861557F86558EAE4ECCECA4F8DF7254E48E2D0046A9372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045478Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:26.064{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F93795E29726690575390E8015349C,SHA256=496AE6F8C0A9E18776E5BBEC2E21E6FB33083E3B06769FCF3982B38FE367F217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026576Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:27.483{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E558087383C85EFE5A716E03E03FE61,SHA256=98D0A1BD26A889888B1E5C4C27F70420F692D9F55D98C3338212A92C5E56A68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045479Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:27.081{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AF27B1E5F9CF0420B8471CE883EBEF,SHA256=8ED23726D8BF52FCEB4EA6C07243B26C0D9EF8FC612150CB37BFD3AB8449D324,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026575Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:24.956{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50963-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026577Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:28.498{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1690116E11FCB0E8E22884B929FF714,SHA256=341E390C79071C432FCA91168FE0990046B2CFAFBB706C1A071F8DBFB7A66879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045480Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:28.083{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCE80267C771E68318493EDEAC293E1,SHA256=3157789636F63B4F664E581C32B92E49CA8A703EE609FEBD827A4C4C66043797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026578Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:29.514{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E783D8BE91F3FCCA1125D94FD5521BDB,SHA256=045F00BDAB575F19B5E8A4BF1C8872AA28DBC71552359852E0E96D7B7AA2A9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045481Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:29.100{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33615C89452ADD1F1CA4EE04EA91EAED,SHA256=2B803F8F95BC723E4F7860E2E0C3D516E715654A8FA13CFAB7BF453EAAF09DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026579Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:30.514{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3241C8BF0997F757678E19B6A1DB3463,SHA256=A43FDD8F8C4AD2943019DBD3B2FE8A15612362923957D4903A1526D2D31C17B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045484Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:30.330{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045483Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:27.792{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51721-false10.0.1.12-8000- 23542300x800000000000000045482Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:30.115{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EE0A38AACCBD5AB4A56EE699839601,SHA256=5C3A3A5F214C949B0FD8A8FF424899129AE8700E5C7A21160B005B53BED41CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026580Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:31.561{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0A5981E82AAAF18A61616EB09BE579,SHA256=4FD79FA230251694264F93C65F4B6E31DBECB60524E975A47C35072D685EB3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045485Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:31.130{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FA7724DC3CB1861D6D773B7CD838C3,SHA256=940D303269B2A551EEDCD5C36FDE0A56DB2A67CEC3D7AD0576B649C1BE082F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026582Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:32.576{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16982D2BCF3BB47390D74A720A062953,SHA256=9CA6C1113493AE81DE93087752D198590A626FA5472E1C614000017DC7C801B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045487Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:29.906{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51722-false10.0.1.12-8089- 23542300x800000000000000045486Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:32.160{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076CA7600B2F2F178C67A434160DE570,SHA256=D6F69BBEA7B5C4E6A72AA971A2A6BDB39B49A7DC9059C20B84B3ACF30E93CC50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026581Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:29.987{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50964-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026583Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:33.608{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA178347DDC11AD299347C23BDC9B95,SHA256=86FC0FD997215FB4C2209E06BC7508A003480675401467EE566AADEBA68AACE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045488Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:33.178{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE271BD1519A0259E7F7E216BF115670,SHA256=1863FFAB2E2ADB38AE7BFBEE2C08568437B11788F6B7950B27FF95FB1551B7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026584Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:34.623{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333F5961AC23310D82F1A39422EAE6E2,SHA256=966DB427BC025C16E59FA79D43B2C2613C57E6055110BEDD449CE7923B058E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045490Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:34.846{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-105MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045489Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:34.258{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D5CB9269142521E8E310CC4E92F679,SHA256=3C3BD52B197ECE8DAC846C47227DBFB7262EFF25CF09FDE2F11EF854D2EAB49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026585Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:35.639{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E3FE0D2E60454FF353CD106B24F657,SHA256=C0A732B4759A482C55020C26F260B935D1C077EB28A113A7E1BFC61481D79DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045492Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:35.859{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045491Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:35.276{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E9E77C7A0CC84146B5263349C795EE,SHA256=EC15979D279ECEC08A71630981384CA7782565CA1D2D230DD1C9440DE9F70D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026586Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:36.639{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94F8811A7000B5FE94A0277C4A8CD9F,SHA256=8DCEC92F20431A3D70091A7C81A6078881712D4016E2917C6CE2D2AF616B8C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045495Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:33.650{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51723-false10.0.1.12-8000- 23542300x800000000000000045494Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:36.279{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47FA8E97AA1D4E2441085E546E5BC88,SHA256=9CBB28D1363320C06A14882C912D34C83A8269B0343FD65B0C6C796F1730EAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045493Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:36.274{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0AD8E0BF1167354D609AD1AFC04CC424,SHA256=C6A09EFC9A91CBFFA39E4B75868929B22BC71058B0F81AC2C1D5E1D50E450235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026587Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:37.655{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D0DBAE90BC6CFF1A3AEB339B1155E1,SHA256=9CF5852C209D48362D7D0D18C1835DD8F04BE8FC7E4BB5ED151589816F25DF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045496Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:37.294{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50B0E12CEE036F613BFAAF58E5FCDAA,SHA256=C5008FC7C3A462E97C7A2E7616D32348BE5837B62D80943F40A0B82D59D4C357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026589Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:38.670{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D093CC0540B52069EE87ED1110C0EC66,SHA256=FAF5373C885F8479579C439E221985570F4CBBD42BC7418EECC632ED86E00466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045497Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:38.309{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BE119ABF92C352817C29CCD873BFC7,SHA256=CC11E0E82BB01E687392AD0C9F3B26C7F960957015E8F640281EB187C58D09B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026588Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:36.018{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50965-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026590Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:39.688{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEA56B1BB703E77ACC8C79D27D41D5C,SHA256=AA77DE3BB8436CDA3960C1AAA163D8BF13439B7781C4864B743B302261F566CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045498Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:39.324{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD3A85C29DEAC969665723DCF1C1E78,SHA256=C099FF8E2A769E56B905521F6E58A78AEC37D50BB4E33EBCB00926594C6158A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026591Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:40.688{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A62EA19EC38D237E130017276C64433,SHA256=B099AACA486D982A8EBABA40602025BCA3689605F69291C83064CE3642F01AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045499Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:40.355{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999E3A3D50EE70BCC4571C37D0246AF4,SHA256=F2D5F5E0278FCD2BECF72C57FEAB828F930C36DA411A558209AE7913EF237FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026592Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:41.719{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62EFB108D0219E14CF6727F2DF24645,SHA256=2CF0B50EAB8DD7FE13D220493DF24B0E52CC306BB506798C979D36727DCD3406,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045501Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:38.660{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51724-false10.0.1.12-8000- 23542300x800000000000000045500Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:41.355{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB79021797300C345839D383A4BEC4E,SHA256=F98618387B2EA4386E2659BAD29B59AD52A434C509B150DA91B5AE88568902D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026593Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:42.735{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB2C69363B5D1A08EC7F0D7174B6B87,SHA256=6C9EF860224E2B5ED4FE13FF1E49AB48C5E9668D1153CE841F4464C886786F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045502Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:42.392{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25B2A9C16790C346AB8BA63EDF88515,SHA256=07480444B9B7B5DF7089E4294B7141F76F133B3B49562C316C8DEF802D9DEA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026594Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:43.751{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA18F149F7E9C5D6A1E829D62CB7F75,SHA256=F63D69B31339A63CBFD9A88023129149638B839B8C30CDFCA27BAB11C5F875BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045503Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:43.423{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420E6D4BE7CB571BA510C8C9A300CC17,SHA256=901A7E4934969BDA687C3A2B833FD00458C17EB4974EBC275E62D62B8D4A588B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026596Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:41.989{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026595Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:44.813{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DC37C58E65A53BAD228F9F103370F1,SHA256=D5DCDEB47E8D82058EC650084E69B0D99E9D2CBF463D29D72631422746513206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045504Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:44.453{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91779824120DB87DF6A87382425E9B2,SHA256=984F1CA9B4A574CEE31C84CB780E859D8F379D1416883C5C021D5D9CC4260BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026597Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:45.829{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE183F54E7506167E7E3B1F4B2AD515,SHA256=FD3BA3C2483AA66505BB544DB5DDD8F6A0B723AA25ED024BCD878740A77C61B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045505Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:45.470{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D84AD1D5AADD7F98EC5117075BE8F2,SHA256=3C8989C33D4334A8D6F4E80FEA0D94CC511D49A15035519949CFC3084E01D190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026598Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:46.844{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99DF8002962F5702F2038BDDDB28825D,SHA256=CA4A1FCC7DFAF9FFDE8EB1F982973058E1524BDF752ABE41EEB619F73E154ABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045507Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:43.698{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51725-false10.0.1.12-8000- 23542300x800000000000000045506Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:46.489{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FE534B3B1E342A5CB548268ABD4F29,SHA256=69E4666A42F627BDD21A421FD3E0E3D7D8B57E80E85F7813004DAC7808D3A2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026599Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:47.876{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4A7342423B247ABB366F39F5C88174,SHA256=A003CFAB28740120C4A004AD2C0A754E219F786A72D430E64DF7B5A5B8A8F1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045508Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:47.519{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056C7840DC5A135B7F9D75390A3F26EC,SHA256=6FEF53D12CE69B3B5516CF20443ADC917274B1A259CB69EB5A32501B08A8EE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026600Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:48.876{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F495E0D8ABBA9545EAD2B250962945,SHA256=68730F3E1FB251C8DCD0AD6D258ACAEC8B7A45316E8AC218C13170D8CAA1CB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045509Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:48.550{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DC695474A810C74D47F0A2BDEF831D,SHA256=14A33CB0F2F594DFAA0234BF32C970844BE1DC5C96CB6CD62D0576EB271DA67D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026602Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:47.974{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026601Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:49.891{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46397C26F9A3759E7ABE2DF8CA1DFF85,SHA256=884825D0E4B469F57E44195B51E5452A09F6CE10C4971D304CB4E7200C6E083E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045510Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:49.571{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33CE1C845DC065FECA88CA375C9F694,SHA256=13ADF081EEA2D2F7280EC6A21EECE81EFE1F27E056450B57FBD7E0268DCBFE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026603Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:50.907{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511085FF15E32F0CB1DBCB52995DC7AB,SHA256=6A2BA2EC9A0E6DA7C6B12FA20553D6BAB42FA7D88314B5CFFD9AE7382E5DA0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045511Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:50.586{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A787F5AD652D716E2C1B6A0E5B795CF7,SHA256=0AA5B3D10FF4954DB1744C1CE772734BC5BDD8CA9C4B0266C7C444CF4DB3CBEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026605Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:51.907{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABBD2E1C7A9159F198607649D5ADBE3,SHA256=158D1E5204645C5C5A55E2D6A99BEAB113296A30C138C2FA21CD3A2A00933282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045512Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:51.601{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBF1886642F6C2B64122CC845901D70,SHA256=DEC4277EF843B6B8CBF37F94DF29A77AEDCFB7213EE2A72D22D61253DF5557AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026604Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:51.641{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=93294BF117D652CDEE9F54FF20F789B1,SHA256=D41E25B1A2E96D760FFA9DC8751641DBFC0A947EB541835F7241C6A8D3863CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026606Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:52.907{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58777A293EDD0E0B1813C3CA5B2D0098,SHA256=56BFF301F87866532B1C3C0F7E0ADD47B6615C9E9DABD20780013BCDB431BEEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045514Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:49.659{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51726-false10.0.1.12-8000- 23542300x800000000000000045513Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:52.615{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8295DAEAD3BC57267360D6ECDFB673CA,SHA256=6A946078B9B43EDE3D1959A424AEAD04717A1A7BFC5B9FDE85AE20D2879AA8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026607Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:53.907{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF78C08AE26DD30E8E41B755BB04731,SHA256=1E4E28F5554F04FDA04A9799B3DE313A45C8DCA27B187CC2512CA8EAC794DE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045515Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:53.646{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36359B025F95EC8F87BC3B4271AA816,SHA256=9F24FBE226A142FCFCFD071738EFABC3E6DB518141A39610D743BB72195891F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026609Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:52.974{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50968-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026608Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:54.922{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828B9A447888EC1CF4DA5945BBDE95A6,SHA256=BB0E3FD17450855112D3113E59672E4B519D79411DD6EE12024D131B9D82B91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045516Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:54.664{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8FE42091DF9DD4279DDA891AE1F3907,SHA256=1AFB3A0D80C167EAC3BCD1E20FDF71A92C6CC464AA82F39688BB042D3BC3E794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026610Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:55.938{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082D01AC17402F5B22FDA0544A8B6EA0,SHA256=F5D251EF29DA07B921BBD8DCED168D60F3E309827E73674AA0F4F7C104FF7DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045517Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:55.682{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0E3BAA63117CE87C02FDF4BAE09463,SHA256=609395FA7DEAF0961966643D51B804D15C13455676B85A0246CA9522DBEAFA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026611Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:56.954{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD5E26168F270BB021FCCA7354A83EE,SHA256=856D204E8BFC5440090FD57BB605B1C642D92ACDE64BB2763268B89769CA3C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045518Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:56.713{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494162BE9949C72F48BEBEDAA9FE1FBE,SHA256=D3B24AF5D9024D870D84570C078461195113D9F503FABF707A725B85E1692455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026612Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:57.969{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7E74F2967874E60CC8F3EA7D35B07A,SHA256=0F2B537B1449D8C8FE48B475326731303BDDE38EC248115BE6B152F5B35FD03F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045520Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:54.705{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51727-false10.0.1.12-8000- 23542300x800000000000000045519Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:57.744{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E958FBE4AA273E8842245622120CA7,SHA256=DA0A2CA50E69738BF8361FC1ABC412A1266D5436F847AD4978E24D9CD0748898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026613Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:58.969{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44EF6BD2635EA4CB26DAB184C3FB0EA,SHA256=238F9AACFBBFC22F1B0830776CC08D78AF64D0C594167BCFE77415BD7423797F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045521Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:58.781{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB7C526EF3C5EA1F66484128650F3582,SHA256=A2C94A50AAB94D754D8D488D758932BE7F562FF450CB271F30F64879AEB13816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045522Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:59.811{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D685ED78941305B36AF80F7D9CF8DE3,SHA256=96C63C26D3EE8FFD229197699A489DEAA6502155A1DA77A2214C76FC30313D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026614Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:59.981{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C2B9F56B5CE7DE962040F978840D36,SHA256=5E9DE0A3EB6AE0A04952BB7CD16A54C07682DDF48DB994433C4974322E1DC2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045523Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:00.826{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB94F25EDEA2B98AC2ADDB18BF7D9EF,SHA256=5E800470E17C2253892E410C2BCB4C814A20B75468EEC0A26ED3BEE3EBD3C745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026615Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:00.981{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7875F8339850859B657F8DA835DBD4C8,SHA256=9902740E04A0FF2B0ECE81584AF106F5F4C631D528863B83EABA5C944777857B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026617Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:01.981{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79004C74C3C946E16989D45115C9842D,SHA256=2806904E37189DACA6D7C4365FBA95B367D8BCE1D50E1B71095F83B9691CB9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045524Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:01.841{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5CFA6668971F71E1668C44790A0A2F,SHA256=10F625ACDCC0211584249CE5B0630CCAB208CE43F7893E5A453D99F8FC801E9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026616Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:46:58.892{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045525Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:02.861{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586B213CE351B69F17F7CBD62452E44C,SHA256=9F2625FA13C8B6285007A0EEFD53C0C2DF431CA8778B0C0F854D19C9F8FAE52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026619Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:03.997{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEF4946C022B62C25DFCAC14D585FFC,SHA256=885A5204200F72770D38D66EEE2060EBC69ECC9C5FD748B95C53DC9E0B975E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045527Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:03.877{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689EDC07A330E47090E1EBBBC596B2D4,SHA256=965D493D82E7CAE60EE4045C13356B026AC73A39EEE374412BF2343614080083,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045526Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:46:59.734{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51728-false10.0.1.12-8000- 23542300x800000000000000026618Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:02.997{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7B90C5F776B5551661F54762D85F38,SHA256=427D1DAD2D563350F7548198DA8BE8F40DE83C6D9AAF345A80E780AFDCC217BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045536Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:04.879{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A249D77E7FA2CBA32FDC98018520BF5,SHA256=BDA467FFE947AE296426667C131FC930EB27805FF01DF2751FFD9B7E85BF6DF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045535Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:04.508{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BD8-6136-0209-00000000F001}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045534Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:04.508{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045533Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:04.508{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045532Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:04.493{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045531Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:04.493{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045530Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:04.493{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1BD8-6136-0209-00000000F001}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045529Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:04.493{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BD8-6136-0209-00000000F001}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045528Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:04.493{323FE7D8-1BD8-6136-0209-00000000F001}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045556Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.966{323FE7D8-1BD9-6136-0409-00000000F001}23404604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045555Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.882{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546F658C614886FD8E7741D92FBD7ADF,SHA256=4CF0181A150BEB3B65717E860B45C514C295869125BC7BFD9D2BDF48632D35E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026648Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.841{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026647Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1BD9-6136-7C06-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026646Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026645Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026644Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026643Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026642Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026641Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026640Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026639Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026638Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026637Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1BD9-6136-7C06-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026636Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.575{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1BD9-6136-7C06-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026635Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.576{FFF7FB96-1BD9-6136-7C06-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026634Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.403{FFF7FB96-1BD9-6136-7B06-00000000F101}17683492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026633Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1BD9-6136-7B06-00000000F101}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026632Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026631Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026630Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026629Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026628Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026627Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026626Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026625Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026624Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026623Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1BD9-6136-7B06-00000000F101}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026622Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.075{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1BD9-6136-7B06-00000000F101}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026621Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.076{FFF7FB96-1BD9-6136-7B06-00000000F101}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026620Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.012{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806CEA492F4CCB8EBD309E14AC804DC7,SHA256=B228D8EDF4D8E20BEB1348BC4359A39953EAE2C4F2FFC4840C9E6569D2DDEAFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045554Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.765{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BD9-6136-0409-00000000F001}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045553Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.763{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045552Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.762{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045551Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.762{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045550Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.762{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045549Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.762{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1BD9-6136-0409-00000000F001}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045548Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.761{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BD9-6136-0409-00000000F001}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045547Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.761{323FE7D8-1BD9-6136-0409-00000000F001}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045546Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.498{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CCB2AD67D26D172EAAAA11F8DD680BF,SHA256=C9F4C139797AB108DE7269EA23D238311993B799FD7625C78A9BD42BEF107323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045545Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.498{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=751A9F1CB83A730EA3DB69F02C39A355,SHA256=CA6168B8670A0EE4A464E095B579D398E658147D7C04A56BCBA0C610250C6139,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045544Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.164{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BD9-6136-0309-00000000F001}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045543Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.162{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045542Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.161{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045541Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.161{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045540Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.161{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045539Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.161{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1BD9-6136-0309-00000000F001}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045538Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.160{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BD9-6136-0309-00000000F001}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045537Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.159{323FE7D8-1BD9-6136-0309-00000000F001}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045560Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.236{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51729-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000045559Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.236{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51729-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000045558Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:06.882{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77979558884E32A17DF945C7958FB62E,SHA256=CE72964CFEC7CB60E2AA5132898197303686E805512F20B803052AC0D9097369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026665Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.294{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A4A0613A16EE9BEC31E0D13212BF244,SHA256=4E1BD85DB932BFB754DE03384A314649248C94F648B2109222A4C4A5D18E6BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026664Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.294{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA177857EBB70D1195BE548EF04AFB5C,SHA256=143A18ECAF70DBE516A2A7BA8F500F5B0DD2B7ADA219022E957E8F4A79EBFE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026663Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.294{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C8198ABE77F936C99671783885E2CA0,SHA256=0BECCCA88AF79F0E87F78448C9A00744BCD775C15A5EACD475A4284BA5152F67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026662Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1BDA-6136-7D06-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026661Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026660Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026659Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026658Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026657Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026656Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026655Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026654Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026653Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026652Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1BDA-6136-7D06-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026651Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.247{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1BDA-6136-7D06-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026650Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:06.248{FFF7FB96-1BDA-6136-7D06-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000026649Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:03.939{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50970-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045557Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:06.665{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CCB2AD67D26D172EAAAA11F8DD680BF,SHA256=C9F4C139797AB108DE7269EA23D238311993B799FD7625C78A9BD42BEF107323,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045562Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:05.773{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51730-false10.0.1.12-8000- 23542300x800000000000000045561Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:07.887{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEB708915D24D046B49FC0FE21A43B0,SHA256=616DA764CC317A2B19AD983B42C5CF127665AE6A810621A968880B4B6D637857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026694Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1BDB-6136-7F06-00000000F101}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026693Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026692Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026691Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026690Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026689Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026688Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026687Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026686Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026685Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1BDB-6136-7F06-00000000F101}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026684Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026683Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1BDB-6136-7F06-00000000F101}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026682Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.919{FFF7FB96-1BDB-6136-7F06-00000000F101}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026681Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.434{FFF7FB96-1BDB-6136-7E06-00000000F101}35483788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026680Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1BDB-6136-7E06-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026679Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A4A0613A16EE9BEC31E0D13212BF244,SHA256=4E1BD85DB932BFB754DE03384A314649248C94F648B2109222A4C4A5D18E6BE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026678Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026677Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026676Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026675Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026674Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026673Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026672Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026671Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026670Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026669Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1BDB-6136-7E06-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026668Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.247{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1BDB-6136-7E06-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026667Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.248{FFF7FB96-1BDB-6136-7E06-00000000F101}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026666Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:07.153{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8094190308AAF86F3F0A28B5D9800ACB,SHA256=AFE8CB48F105F9D48A483C22F2F4308C0B6C6057A2282FAD01403F9CD334B347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045581Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.902{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BE72A81C7036B7314C2BDCFBB2B4CF,SHA256=D3A245F4BE8511604BB1F1B51D64B18B6DEBB994C26FBB9534A089CDB9441D3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026712Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.622{FFF7FB96-1BDC-6136-8006-00000000F101}16564032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026711Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.575{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDE2D182F4DA9D5ACD524475DE7494D,SHA256=B2B37F692C77766AF7831AB1953109D3A3DC658325193C6B6384D51C05531A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026710Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.575{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F1E806FFF55A0EE4BDEEC8FC98B049B,SHA256=0C6CFFC7F7C44FDC7C0FC2FB799461C6FE5CB32F054AC4E10EE4726FF175CEDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026709Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1BDC-6136-8006-00000000F101}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026708Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026707Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026706Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026705Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026704Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026703Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026702Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026701Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026700Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026699Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1BDC-6136-8006-00000000F101}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026698Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.419{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1BDC-6136-8006-00000000F101}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026697Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.420{FFF7FB96-1BDC-6136-8006-00000000F101}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000026696Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:05.673{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000045580Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.871{323FE7D8-1BDC-6136-0609-00000000F001}37205816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045579Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.702{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BDC-6136-0609-00000000F001}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045578Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.702{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045577Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.702{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045576Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.702{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045575Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.702{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045574Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.702{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1BDC-6136-0609-00000000F001}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045573Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.702{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BDC-6136-0609-00000000F001}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045572Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.703{323FE7D8-1BDC-6136-0609-00000000F001}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045571Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.218{323FE7D8-1BDC-6136-0509-00000000F001}5160708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045570Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.018{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BDC-6136-0509-00000000F001}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045569Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.018{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045568Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.018{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045567Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.018{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045566Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.018{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045565Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.018{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1BDC-6136-0509-00000000F001}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045564Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.018{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BDC-6136-0509-00000000F001}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045563Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:08.019{323FE7D8-1BDC-6136-0509-00000000F001}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026695Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:08.137{FFF7FB96-1BDB-6136-7F06-00000000F101}18521856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026727Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.716{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7CF0A734B12F2A45FA962181C4BD4B,SHA256=FBCFE8E959B3F7D7A7DD4FBFD9070C7DA676094660B4DBBBA6D045F26EC8098C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026726Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.716{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=376FF99B69FD1093A43B94745AE1E58A,SHA256=5A5F214864B8A3B728C365115CEADDE345E769F4A43D028C8A49B24D0B521E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045600Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.919{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA0C3BE21E0F69A303439A5ED49ADE9,SHA256=B501DAF64E6B648C9B44055ECDA0B5939A1ACB340C3956753C60A93004ABEC93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045599Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.903{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BDD-6136-0809-00000000F001}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045598Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.903{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045597Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.903{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045596Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.903{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045595Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.903{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045594Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.903{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1BDD-6136-0809-00000000F001}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045593Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.903{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BDD-6136-0809-00000000F001}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045592Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.904{323FE7D8-1BDD-6136-0809-00000000F001}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045591Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.388{323FE7D8-1BDD-6136-0709-00000000F001}55286936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045590Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.218{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1BDD-6136-0709-00000000F001}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045589Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.218{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1BDD-6136-0709-00000000F001}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045588Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.218{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045587Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.218{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045586Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.218{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045585Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.218{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045584Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.218{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1BDD-6136-0709-00000000F001}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045583Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.220{323FE7D8-1BDD-6136-0709-00000000F001}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045582Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:09.033{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AB26954BB36F46E854952B736AF9D63,SHA256=C1C5F5D1D21A606D6F9F9BAABA63B150D4FD02D792B6404C4B0E89D399E9B61E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026725Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1BDD-6136-8106-00000000F101}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026724Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026723Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026722Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026721Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026720Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026719Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026718Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026717Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026716Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026715Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1BDD-6136-8106-00000000F101}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026714Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1BDD-6136-8106-00000000F101}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026713Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.091{FFF7FB96-1BDD-6136-8106-00000000F101}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026728Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:10.950{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B453CB4A2403522724EB799B6D510452,SHA256=6EF68A090CC79E9084C62E160AED07BEAFB54395025AC55AB091D3744D9FB731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045602Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:10.933{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858BC4A620A48E72A8504BAC22DD1882,SHA256=ED2AFAFDFC7ECC3BC34A75682E28886824B7D6D6FF4FA9E3439CF36B18134107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045601Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:10.219{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAF56F6BADF51F14B84B2FBDBD806B51,SHA256=00C68A3E82438F0229901F290EB048626057E644CA0055D5BF16B12C5D41AEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045603Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:11.948{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13498B4489C625B9D5041B515FD2B61,SHA256=B99D63B88CD446E2D43E1A1EFDA3B34E19F066DC0DEDF83F627A8B6CA5585321,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026729Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:09.049{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50972-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045604Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:12.949{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EABB4E340B04428DA6CE3F3D8CD5BCA,SHA256=50260B51320660C9F3F5F4ECD91F5C33914AEDE993C7BEDA50AD3823FAD58A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026730Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:12.075{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAD21B2EC49216C4B04398D9CC92181,SHA256=0CBE3685068271C36CF92E95A5DC6396A65778A8CEC64C343E651E3BCF198A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045605Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:13.966{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A593CAD282D9E98B9FFA2364FF06CE0E,SHA256=0D27A84C56DF9EE0E278223309437CDD192F1D83C605660B51147606A9380AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026731Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:13.075{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F27DBC337095F2CD8BFC8181E74B698,SHA256=8825918571FB68E4C7DD489EDE52AA5156B4C79544EEC1F26A44C699FDA1C7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045607Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:14.984{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E545C2820B4B05C5A6B273BBB3C75D10,SHA256=55F29FD98E6944E3CE5CDED3DEE54C45A31708DAE1CBC3874BB5E53218B8E997,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045606Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:11.793{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51731-false10.0.1.12-8000- 23542300x800000000000000026732Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:14.075{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FB5853BCBD96F0C6FF5893F0CF4969,SHA256=1B8D087670DC98071E4282C3007167FAE617532A54A64178C8254E53DEC32470,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026734Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:14.064{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026733Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:15.075{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33A5CFE63149D40D4E4FDEB32939F39,SHA256=961E21F80917F93F5E1D4C01DE8EC52B22C0D255210D9D7E97DFEF7C399B385D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026735Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:16.091{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2D4CE13F011294296B08E8DCF4900E,SHA256=838312F088C41AB4D30B0F5BC17E081A9FC85F345A0A9D33CDC34B5DD3ED5E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045608Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:16.015{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B4E6A391C267097155161B94F7669B,SHA256=2E3EE74363EE57D83AD86EC9F2961057B2A8D6539E7D014AE06DFCDBEE236AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026736Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:17.091{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A0484B41E23C4021E5BF2CF013ECE6A,SHA256=DE5E549DB447DB8E698A7A319D5A568164FCC786D82BB63433BA8DA39CDA72B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045609Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:17.016{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D33949E6E7D65A9212841EB551813C8,SHA256=548CA2C60755F17EBD32D531CF466DDFAA25381190AB5D92784E781FF8CEE974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026737Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:18.106{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9A0B49E5DF53C8D318BAFF2E70EC39,SHA256=69FE413CC755FF95460A4F80644882D63C41683A42D9DE693E6C3C5FF5F53E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045610Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:18.031{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CF8B1DF4E196A59B1254C9C74C847D,SHA256=6A3A39C5532F14B01C6D7D48784D7F14BB502C8C5AA6D19A0680BE5E1D88319A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026738Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:19.120{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C0A18476F157B9E1ECAB88F33F4A71,SHA256=E918FD51ED4D3AEEC0997A358A8D650E3EB9D032E08412F65C01D7C6CD100369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045611Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:19.046{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B7C9CFCE31767B9F15FC55502FAFCD,SHA256=31FA1EA88CD4ABF08B93D72164218733673B465816A80F3047C715EC8F68C58C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026740Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:19.109{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026739Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:20.135{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1EC330B8BFC1B5C2DCA8BBD93E955C7,SHA256=8CACD13F79FB3389B9495E0AC89474ED0EDA5902CE095928FC21A864227A2C14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045613Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:16.838{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51732-false10.0.1.12-8000- 23542300x800000000000000045612Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:20.063{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604F04DD43F3BECC44B60E08B5CD50BC,SHA256=E75BAF7A3497E270BC07F83D06ABBB1297E9E340FF157D967F636CA74C57BB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026741Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:21.151{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C197B00CC5E3295FC2844B5F768ED0,SHA256=E23AE0B4C022B62F8BE0E102ABC56A19C8FF258C2150D763F5C9A16942306666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045614Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:21.082{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCF9B8E93759AECB67AB0FFFACAF4FA,SHA256=C8015FAE943E030701AE4A2824B30B770694885332EFC09FB732D6A53F77D772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026742Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:22.167{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65F57B88C00008CD8329D43AE1423E9,SHA256=1B574430F5585EA4635E10F13C6AA0F63677741FF645E283A50ABF5F20BAE801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045615Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:22.097{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1C7FB0BB1EACCAEEC4F034C9CF9E16,SHA256=032B033D83FD65061B769BA7434DD0D383C8AC2E88E018DA8AC3DFD9B62EEECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026743Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:23.182{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9D6E2024F7E8CDF03A5CC7F8D89ADD,SHA256=2C6405FAAA39D16C8569E4EF144F6BD05FF3EFE92B1F7B242630388DA93F28E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045616Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:23.112{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A6A2944D8F18E35CA825D0E4B6BA35,SHA256=3FC529852BC227197AB438DB20A59BB6CD589614E78649C2674C05E434B0F7BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045618Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:22.703{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51733-false10.0.1.12-8000- 23542300x800000000000000045617Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:24.142{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C7D5B3EA3370631B1EE4EF1E85BF0B,SHA256=6966FE48FBA8176EDE7B2D2C6FD667EB9116F3739EABDFB1B465B345C8B9E738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026745Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:24.686{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-098MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026744Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:24.184{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF0F119B7350B33260F794C5EC6C89C,SHA256=8FBA56CEEAB9485EE9594C703D59486FD5291B20328951FCE953F031FC5C63D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026747Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:25.700{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026746Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:25.199{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50396C0131FD9205C1F6A764C408D5F8,SHA256=5F730EF8B0742849396213FB50243B4F6D33A999BD0B05C14274376007BC4B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045619Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:25.179{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B47E75ED5C8BB40A9ECA0661BD15FDB,SHA256=C88797BFBE3EA5AB1786171BBC07DF4F7E3C5A1B663E96B3861722AF04716512,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026749Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:24.953{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50975-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026748Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:26.214{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EDA90AA57E7E01BE8B2FEF38F43323,SHA256=3C1AC992C067A2732E554E2EC9C5ED1FCBC88B04D92D7F7EDF610BEBF3FE1DFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045622Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:24.505{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51734-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000045621Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:24.505{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51734-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 23542300x800000000000000045620Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:26.210{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F7B6603684A7C0056B0BE3870D4077,SHA256=ABF65CC00AFE23D0711DE6B45073ADE733B3A2F16FEEE47C87DC8B569B62CCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026750Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:27.261{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E085CE4FFA0DE1090634372F28CE00A5,SHA256=3BA35165F01CA4ABE7FB8404AFA2FEEB212C5C9FE5B3EA69ACEBAC09FB7ABC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045623Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:27.225{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F885DA89CC49B6F7B439D127F6836545,SHA256=29913E68FE3953D6B76F11A86ED32D5D354883DC2645EE3D3A93E9CDB0ECFC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026751Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:28.277{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E652E8B9D6359110CFB8C878AD26F844,SHA256=7C9FDFA82AED3871D1212F678235B9E964733BA5C4C1EAA472ADCEEA5613AAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045624Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:28.240{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7795E51D40421750903A2EB41ADD781,SHA256=AA345CF3A8351A53B30E4FB30BF2AE5D178A3C9D173FCF565E9EDA94CA7A9A02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045626Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:27.768{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51735-false10.0.1.12-8000- 23542300x800000000000000045625Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:29.257{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514182324B7EFF8ED0B3CBA07F683929,SHA256=1A217EC830CF653FCF84C40942B6E3E8B6B192CC3376191BC5D8779F7B54F244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026752Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:29.308{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2726F93436E4BED0DF528CA13A30CF6E,SHA256=09A22C0E8DAE2F3838C647E9FD58D6145F6594E521CA7E465414207C5BD2ECE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026753Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:30.402{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1313DA46B59EF6F7D3B9B379EE8324B2,SHA256=BD385F3F1BC1001571C2ADA689514D15A3915A1217A3E6B08414EA1FCC3C3503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045628Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:30.359{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045627Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:30.276{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1990343FCA8E391BB5E8BE8E5295A409,SHA256=87CD7C80905B6C852C570022F45368244DA9A7EE4592AC8AE5AB0D236FF078B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026755Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:29.969{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026754Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:31.417{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BBB5C85C526AC475FF374193A9E77A,SHA256=7AF960DDB49DD2FBC300ABC9824170821A9C2F981870BA76BCFDF09FF32AFF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045629Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:31.291{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772E269ABFBF8A90AB5647B92B8AAFCC,SHA256=13D483F5CEF096D89E6476F2C3B221E2E7277C1B6DA96B2DC9F3793C75DCE676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026756Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:32.464{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8B16544ECE128DDE2A7C7A169F7D48,SHA256=E5CB43AA75C3A4907D456B40B481F1CFD9AF73675BD70BA6B5B8076A81B922FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045631Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:29.930{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51736-false10.0.1.12-8089- 23542300x800000000000000045630Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:32.306{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C873323A5E08010337034018CCD4497,SHA256=5682020D4E809DD8B35449CC5F94207C1C371F9DEF271ACACBD11EE4BDB0CF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026757Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:33.480{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436A48E0A35564D8596DE3A8CB7384CF,SHA256=F67DF783D0BC932DE4A564D15AF172F2A324D6E6F92E38C8C326FDC416DB12B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045633Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:33.774{323FE7D8-022C-6136-0B00-00000000F001}6242748C:\Windows\system32\lsass.exe{323FE7D8-022A-6136-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000045632Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:33.337{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FA47DE9D3DE13E4934E3F72883329A,SHA256=A641BC25D97B8EE613AC12A1F13B379553180BFC174AA29B05C22DFE2B069944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026758Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:34.480{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D736FD485F5A3132396BBBB790818D70,SHA256=ECB3D7E1C6560658601C9467B382D8682C26EE1373C279527FCF9A84976F3163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045636Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:34.774{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=540DF3F36C0F804B5F999F98922FAEAC,SHA256=00F8C6119B7385B2ED8BC7F21821DAC01B845919BC9C0C485BA40A444DC31999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045635Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:34.774{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBA344957F46C503EF245AF9C9A83565,SHA256=7D097C861CEAE81405509F00D161749CE7D6F8EAD996DF20DC0BD97A22FE7CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045634Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:34.356{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A69B76814C2D3553499A04D312053,SHA256=4AAB0AEC38DCB12066B0A9A760C6C7D87D8F31D3014DB60D38E067A9B3540C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026759Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:35.527{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE6B05F14CB378C855E13A31B4563F1,SHA256=E066338CA172C989B56E1CF2027FB6CFDC73A566EC3B9240012FC062EEB8C5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045642Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:33.628{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51738-false10.0.1.12-8000- 354300x800000000000000045641Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:33.366{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51737-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000045640Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:33.366{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51737-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 10341000x800000000000000045639Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:35.520{323FE7D8-022F-6136-1600-00000000F001}13084152C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045638Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:35.520{323FE7D8-022F-6136-1600-00000000F001}13084152C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045637Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:35.373{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D9F1D189A3531785155C46A917A95A,SHA256=7F824E851AE9317035BACD6AA760FFE8F7A834929CB0D713C6BCE1ABD1318588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026760Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:36.542{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F1BD52FDEC50BAEFF72062B037BEA5,SHA256=EC369421E92F60EB9F3727C97526AEE9138563F900D1281AB380A64CB33353C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045645Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:36.393{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456C3A8BB8D6E4A82FEB80142D740C6B,SHA256=6029E7BBB7C8AAC29F89998E6B5EFBE527B7B86E12C4D4B4C0F79831CA7F2F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045644Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:36.392{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-106MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045643Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:36.289{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C68B732B56E8189FA6B12CC2832BFD74,SHA256=CB5D8FEABE16118430BC9AC7F8B31922834197A615EF48FCA42E8C6D15A8E878,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026762Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:35.938{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026761Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:37.574{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA44F3C7F5D38F52182A4502F92ED21,SHA256=0779D907B1AA3E88CFF61AFAEDE3355872394FC73E5270AD5A3B1BBB14D3090D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045647Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:37.472{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCC6BF054CE3029F9A05D4430BD3B24,SHA256=10539C331503E795CC4AD37CC754AF77F868E52B00ABFB7A094BE12F6D95D059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045646Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:37.405{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045648Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:38.503{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748331D5B16BA4E9B0ACE0E90D8929E0,SHA256=8E57C1AAD3F46D2646338E83157BF9BD28A05BB589AE75A831EECC87EBD31993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026763Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:38.589{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882E521259BAD440FBD6482A49A12E0A,SHA256=56465F9F9F6C7B69F2116565F3C74B03E5304F20523C5AC86E42B1987F8BBE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045649Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:39.534{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824E3F7EFB26A22FB9473AE1B65CA46D,SHA256=701CD3106C47A2567C57EA74009FAD22AD03C061CD39C5C0F58188422AF85CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026764Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:39.607{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F54D9542BDA77D831A9F2097C2CEB60,SHA256=5B1FE73CE09F6AB9980566DA5EDE17BCF3C5A3220C608A1E539F15EE4D2AE496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026765Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:40.607{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42D3232060561ECDDE6615CC2916787,SHA256=7159AE8F832B9BD9860769A47A7F8C7A86332D2AAD37B35293CF8D3C0AE0228A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045650Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:40.554{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D09FF6F20CADBE8B4B01691A1AA818,SHA256=97F968264A98DA6FF99624537ADBACD88788A4208141A6F02932276284F861E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026766Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:41.638{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1E699586AF5C55F2D37E63F9A0297D,SHA256=39517F92CAE46CCD8999749C2149E4240CAEF35CF3CB1CFAC3D9781F2587CD26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045652Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:38.794{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51739-false10.0.1.12-8000- 23542300x800000000000000045651Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:41.570{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113D84B3BC797C73876142AE258806D2,SHA256=4107B16AE2A29D16BE06DEACC90943CA7FEA1C72F1E0DAEB683C93594F032DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045653Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:42.585{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8C833A570735D2FCF3175A7D6CE10E,SHA256=373767494869EF3467A932B215144D2990B43AF2BA875F6D84F18B13F672F651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026767Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:42.638{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1268B9BD2034CF17424534D666D41FA9,SHA256=26F8D11A71A169B25076B2E3F52DEF3291329AA646B19787E165A07C923E34B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045654Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:43.585{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9FDB14EBD3AB32F8386CB9285DBEEA,SHA256=AF400A46AAC3DEF246CEE15EF6E8320899AE6A6DED4CC59602F78CE9B5713535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026769Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:43.653{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6A377078DF1743D545413BE95B909E,SHA256=302F8A74A92EC97D7AACD93F1CF59A5CE244FB0CDD0709BD28AC91996482B1CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026768Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:40.986{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045655Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:44.600{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794CBEA3CE64AC7C15E7643459B0FC0C,SHA256=72ED0B740DEB9D8114E8F24844E4079EC282B8588508A6D14983B972425FC280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026770Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:44.669{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED093A70414C8743338CE922124C1E61,SHA256=8218C06905580881793FA1DE7DD2F2D32F8301B35670D67D720C3FE9FDEEA293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045656Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:45.630{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D5077CA6C80228782EECA1BDFE4FCF,SHA256=77A9DED7F458ED3C82682D30E3D442843CDD69C91C33A8942388CA593582FF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026771Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:45.685{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EF319FB636B6B47252CD3DE2B53B84,SHA256=E6D0D4257EFABFE8C14ACBAF14BDF739FEB667EA910F55E693E2CB9F42B94A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026772Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:46.685{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E69D4F24066061D90005B120F7F825,SHA256=A33E062DE63D36EC29F000C33F9C41851549DF813962C0E274DA5AA46086F20A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045657Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:46.667{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F544CBEF9D4997EBA0563A4E632E9C,SHA256=A9CA83F24A434F640630B7E765923F7B5F906A212583FF75FCAE8EAD778BEE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026773Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:47.716{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A068FA0D3B420119FD55FC317B432AE,SHA256=FAC07D211137D63AC111D70CE9B1B9201C78A8794562FD1BFA3943DB52192867,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045661Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:44.691{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51740-false10.0.1.12-8000- 23542300x800000000000000045660Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:47.698{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FD55CB76EB143E1AD50DBD7FBDC6AB,SHA256=7F1B390D0805ADB98F56B38940DA394759A251CE8064901107A94C856D684E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045659Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:47.429{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78E34898B33007EF39A67DA80B4041F9,SHA256=414B70ABB70A0F34829F8D4EEAB330D6BAE8D5FBCE6AF2B6509ED46D6BF3B1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045658Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:47.429{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=540DF3F36C0F804B5F999F98922FAEAC,SHA256=00F8C6119B7385B2ED8BC7F21821DAC01B845919BC9C0C485BA40A444DC31999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026775Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:48.747{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4D5CAB31F0031368ADF75D54AD620C,SHA256=1585088E006F1E27FA96CC03D1B2D6B9EE9BDB4C0118942ADDAE6B97987048A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045662Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:48.728{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A809DD062276DA677773C0CEBB135C,SHA256=3887D8101AFCF056D86008101696B134D4A196978F4DA60A60F877AB5172B1BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026774Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:46.955{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026776Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:49.763{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7475222247548F6E099FB146FA920CD8,SHA256=506E2F992E6531AB2A852AD70DEEC6CF83DF1A236A4E12152BFCD059CA31DA92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045663Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:49.745{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073DF7E6A52D9278FD40B5F2B9B894C3,SHA256=9007B044C63878A868599F8D8E050F9375048AD5AAB146F4378994809489AA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026777Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:50.763{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C200EEF619D8858C0000E89A5003CAB3,SHA256=D1F2143BE7D6640D21968EC4FBB4E4BDA671BD2C1F2F0B24D59460568E70C786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045664Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:50.764{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C61FDBDF71BDDE8B369C3A9D3107BFE,SHA256=8D71E7C400CCAC51A27A5AA5333F6DA1D63A1EAD585386FD482F9644D7D07AD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045666Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:49.771{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51741-false10.0.1.12-8000- 23542300x800000000000000045665Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:51.795{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE430BC72C73EDC2359ABDC31F76EE3,SHA256=2E515E5F5AD2163749ED3EFF95452832D721C66894BEDF4C353D3BD70ABE5473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026779Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:51.778{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC66AF81BFF7500F2DA7C8B8BCFB815D,SHA256=90FEE5149ECC0D02E495E0737646B0D9FE4F9274716EEF7C5C050156E9A7DE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026778Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:51.653{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4604D2EEA2E4F68EE385C80A6479C59B,SHA256=1049A260842D3E002DAE05F1E3D974FF419DC38FBDF52D4FCE8A71E0A20DEE31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026780Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:52.794{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54347E748AE17DC2C03956855705B13C,SHA256=137FAFF3B8DCB0C4B77174208F913627E50CE36446948DC00C62FBDDC6AF3006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045667Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:52.810{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB82856178C5482B4A81F68246F332B8,SHA256=89C885E15E33F727BD6A6CC56CC5EB11BD5E06CC33AAAA20391F81728C599E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026781Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:53.810{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8740E52C51A8FA36031FB7B244659BC,SHA256=F964B2E325EE40549851FB5EFA68930ACC3484EC3476C72C164A145FB8D227B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045668Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:53.825{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4287A1C01B3A91F91B5032E793CC48EA,SHA256=E78074D9842D4A1388CBC7AFD9D9F5E87F885475382357CD66CFC8C74EB98802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026786Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:54.825{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35F20AE58436160FF7BB275B068BD37,SHA256=CDADD55BFF100A84EDC7540608D3BAD32460C0764A0804A8B0082C50EDBF14E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045669Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:54.862{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0A6ECBDD581AD60E74431EBC2691D3,SHA256=F8BBDC6871668512BB6E5E9B5829A00F6484A588D3D95FA846D05BCF848B1C4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026785Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:52.096{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000026784Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:54.013{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026783Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:54.013{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026782Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:54.013{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045670Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:55.893{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BF50D056684664CE0CAFE42314F41F,SHA256=27AFF397E9F90F56358283E75663566C65089EBA1A37177BABC053D343E03263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026787Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:55.856{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161D4529CDA4B6F73E0338BAB672324E,SHA256=DCC247D6E859D90824836FDF01A5BF36226D21E657974388B844D902CFBC1F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045671Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:56.923{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B10AFF2875BC9E860BDB9CBBA12ACC63,SHA256=AA5A53E41681DB2F838E94BDF87DBE17E132F4616A5997E596299926BE4F604E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026788Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:56.872{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5471F5B5BC2AFA37ACE5DEAA6078F0FE,SHA256=4CAF2C7EF9458EA8FC5A00AF4AA12E90B9E6EA1D5B337F5B253AE73EB91CECA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045672Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:57.960{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE5463A3A3AE4FCFAAD40C4BF01CFDF,SHA256=98D15B0F6056234F48EE07B1784F6225E37CE8C61F894BF897C224CCF59AF129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026789Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:57.903{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7382852E524A2419900C3225F279C29,SHA256=CB7507BA4B4FFCEBE3B4312A3BF64F51498BDB231495C15AE528AAC83FFA069E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026791Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:58.919{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9D7709CE2030940A2398A2FDB242B5,SHA256=A8EEC01F7AF16932DE02F37F10B483949B70F2D8C5B23328F7DCA6E91D283CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045674Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:58.990{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564E3F59F4BBA1EF379157B0457349E0,SHA256=6AC6DD9CC590FEBDC5A34D16F8D81C918A7EE379E42B86B3BFADD68AD1CD0F76,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045673Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:47:55.731{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51742-false10.0.1.12-8000- 354300x800000000000000026790Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:57.112{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026792Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:47:59.924{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE08D9BC7779FF15C0ABABABF80D024C,SHA256=48D175C9483EACDAEB8FFD09A056799A099D6B2017FD113FE97F01A728E2A367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026793Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:00.924{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B297DAC8CCB17D2AB1AB4744E99F910,SHA256=853CDDE8F4DBDED47E4EB724B392809A21D6D46307FCA27C1B7387101BE30FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045675Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:00.006{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB41C48343D79C2080440FADFB5C6A67,SHA256=5A1DB271930E71EEC8C4AE6A4BB41D51B251479E284E1D4E475AFF2F4AC4F58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026794Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:01.939{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F3FDBB563ED596F047041C3E5F66D5,SHA256=D9D7B254D64F5C2A8A88CAED479DDF1A9296F64B66B92AC15ADC6E3653153108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045676Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:01.021{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B26E41BB279A93B2E3911E7FA682833,SHA256=02F7119C508B73A2E14BFFB382A4C785A7378B0738DFA8C8CCCF6E2D2339B3EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026795Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:02.955{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811F013E047DBCE47E5AA454DDF072EB,SHA256=9D88B78CE01A4C863B1F6785960D8983EB8C941F73C847270A26810DEC7D0756,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045714Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045713Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045712Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045711Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045710Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045709Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045708Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045707Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045706Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045705Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045704Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.739{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045703Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045702Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045701Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045700Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045699Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045698Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045697Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045696Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045695Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045694Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045693Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045692Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045691Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045690Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045689Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045688Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045687Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045686Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045685Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.738{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045684Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.737{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045683Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.737{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045682Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.737{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045681Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.737{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045680Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.737{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045679Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.737{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045678Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.737{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045677Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:02.043{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5EABC8BA45017013EBB4224DBAE661,SHA256=0E3B9649404FD875D4FACB94B674F50D80FA5D6CDEA5CC6F80E90C926F4AEED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026796Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:03.971{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090DEAB383500797D38F69162A7613D0,SHA256=8EDEDF50E8AA0310A40636E68FEAB285993E8C547CF3A61E824CA5B1ABB265AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045715Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:03.458{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6FE4DAB36DFBDA0CACBCBF9BB597453,SHA256=3226856CCBD51F8B8303DF8A879773058A98CC092EADC531B0596E48E83503B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045725Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:04.520{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C14-6136-0909-00000000F001}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045724Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:04.520{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045723Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:04.520{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045722Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:04.520{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045721Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:04.520{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045720Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:04.520{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1C14-6136-0909-00000000F001}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045719Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:04.520{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C14-6136-0909-00000000F001}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045718Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:04.521{323FE7D8-1C14-6136-0909-00000000F001}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045717Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:04.458{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301401F97D85A7D99195A8F5F3ED5E64,SHA256=2F4F4119996EB28DE68B0C5034F4A806843E9FB07D898E2B3B663869206478EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026797Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:02.882{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50982-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045716Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:01.728{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51743-false10.0.1.12-8000- 10341000x800000000000000045745Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.691{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C15-6136-0B09-00000000F001}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045744Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.691{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045743Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.691{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045742Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.691{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045741Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.691{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045740Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.691{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1C15-6136-0B09-00000000F001}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045739Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.691{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C15-6136-0B09-00000000F001}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045738Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.693{323FE7D8-1C15-6136-0B09-00000000F001}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045737Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.541{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA8870F9C84C0CDB3E4702DFB25A032,SHA256=3A7FAF035A4033F5558ECDEA52DB7CE914FC1CD84C6B5BEC0342BFE7135397D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045736Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.540{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78E34898B33007EF39A67DA80B4041F9,SHA256=414B70ABB70A0F34829F8D4EEAB330D6BAE8D5FBCE6AF2B6509ED46D6BF3B1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045735Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.475{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8516B165D03C8DE32B3B29D964F2808,SHA256=1916E6C0AAEF724188623109C814D54B6182BFD5F816FD187C5E098B4B6BEC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026825Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.861{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026824Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C15-6136-8306-00000000F101}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026823Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026822Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026821Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026820Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026819Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026818Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026817Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026816Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026815Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026814Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1C15-6136-8306-00000000F101}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026813Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.736{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C15-6136-8306-00000000F101}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026812Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.737{FFF7FB96-1C15-6136-8306-00000000F101}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026811Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C15-6136-8206-00000000F101}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026810Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026809Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026808Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026807Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026806Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026805Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026804Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026803Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026802Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026801Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1C15-6136-8206-00000000F101}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026800Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.064{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C15-6136-8206-00000000F101}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026799Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.065{FFF7FB96-1C15-6136-8206-00000000F101}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026798Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.002{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2EA8C9583243856CE5A59D880DB992,SHA256=AE1CC35B51057024499F1FD169E8E74FEA005860FD33BFA15170667AD2020DD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045734Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.341{323FE7D8-1C15-6136-0A09-00000000F001}63964816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045733Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.175{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C15-6136-0A09-00000000F001}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045732Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.175{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045731Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.175{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045730Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.175{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045729Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.175{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045728Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.175{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1C15-6136-0A09-00000000F001}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045727Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.175{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C15-6136-0A09-00000000F001}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045726Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.176{323FE7D8-1C15-6136-0A09-00000000F001}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045747Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:06.675{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA8870F9C84C0CDB3E4702DFB25A032,SHA256=3A7FAF035A4033F5558ECDEA52DB7CE914FC1CD84C6B5BEC0342BFE7135397D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045746Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:06.491{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAFCC2BAF61113449E833472DFE3C8C,SHA256=58B8E59737C26AE00C2B34A6D0B0391429D7531B5E1AFF0CD69218EECB85CAEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026842Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.564{FFF7FB96-1C16-6136-8406-00000000F101}26883872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026841Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C16-6136-8406-00000000F101}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026840Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026839Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026838Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026837Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026836Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026835Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026834Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026833Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026832Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026831Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1C16-6136-8406-00000000F101}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026830Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.408{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C16-6136-8406-00000000F101}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026829Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.409{FFF7FB96-1C16-6136-8406-00000000F101}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026828Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.205{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7A4E32A6F23A23460F5CE5E71C15AB5,SHA256=8416890811B87D5F633087B16501AC633BD9B21DCE004D51D6FCDB160E40B1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026827Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.205{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CBA3C13655BE73AD01C7B60EEE5BEB,SHA256=43F36480D08EC89E5AA2FE0B11E5D44E1B78B61A7FBEA22D35CF19D56862B19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026826Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:06.205{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E8D2DC0BEC1CE77C505052F3D1DFE98,SHA256=11462466AF7FFCB30573DF21ABA7DE8E3C319FB0891CCEE7F87196772F71F8C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026872Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C17-6136-8606-00000000F101}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026871Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026870Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026869Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026868Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026867Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026866Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026865Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026864Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026863Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026862Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1C17-6136-8606-00000000F101}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026861Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.939{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C17-6136-8606-00000000F101}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026860Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.940{FFF7FB96-1C17-6136-8606-00000000F101}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000026859Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:05.700{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000026858Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.439{FFF7FB96-1C17-6136-8506-00000000F101}27323452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026857Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.439{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7A4E32A6F23A23460F5CE5E71C15AB5,SHA256=8416890811B87D5F633087B16501AC633BD9B21DCE004D51D6FCDB160E40B1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026856Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727A86E633D9F46F4C2FF2422EF628B5,SHA256=CF4696046D7F87DFCEEFAD6912B67274FDA98B8DD5805C08E104F6866F5BA0A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026855Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C17-6136-8506-00000000F101}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026854Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026853Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026852Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026851Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026850Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026849Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026848Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026847Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026846Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026845Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1C17-6136-8506-00000000F101}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026844Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C17-6136-8506-00000000F101}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026843Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:07.268{FFF7FB96-1C17-6136-8506-00000000F101}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045761Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.947{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C17-6136-0C09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045760Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.945{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045759Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.945{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045758Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.945{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045757Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.945{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045756Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.945{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1C17-6136-0C09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045755Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.944{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C17-6136-0C09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045754Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.943{323FE7D8-1C17-6136-0C09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045753Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.506{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC7676A3B51D4D188C7B999D1EEBBA7,SHA256=BE8D7273920C8D61C5E7B478D8F1FB58FDB92D68FCA67E2E8DA761563E9E5ACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045752Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.390{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045751Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.390{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045750Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:07.390{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000045749Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.251{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51744-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000045748Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:05.251{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51744-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000026888Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.955{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CCEB6CD3A42F8ED22F40A20CE8324A3,SHA256=A37389FC978A1E5D3A9CE63384BFD1BFD92C81FA7C685AC2F52A736086DCFB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026887Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.627{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177B206BE1E57C18B2910ED5ECCF5D02,SHA256=0EFD7789463732BC957A513D10712EBFE0BEDB7636314E5082B7F564EED46E15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026886Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C18-6136-8706-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026885Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026884Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026883Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026882Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026881Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026880Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026879Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026878Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026877Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026876Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1C18-6136-8706-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026875Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.611{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C18-6136-8706-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026874Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.612{FFF7FB96-1C18-6136-8706-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045773Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.951{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12BFF6A63E49E346501922A560043BF4,SHA256=FC7A343FBB4EF1518E75B124ED8B6D1B1B9C21E482522821366ABF621BECFAC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045772Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.835{323FE7D8-1C18-6136-0D09-00000000F001}38406112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045771Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.551{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C18-6136-0D09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045770Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.551{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045769Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.551{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045768Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.551{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045767Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.551{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045766Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.551{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1C18-6136-0D09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045765Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.551{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C18-6136-0D09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045764Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.553{323FE7D8-1C18-6136-0D09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045763Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.520{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353D3C199606E8AF78C3FB72776877CA,SHA256=E500890F5B60EC1F479F633F48A02A7BAD6B8EC3DD6C8A0C1A47A3ED20D7A280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026873Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.127{FFF7FB96-1C17-6136-8606-00000000F101}36922648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045762Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:08.288{323FE7D8-1C17-6136-0C09-00000000F001}62402276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045792Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.804{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C19-6136-0F09-00000000F001}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045791Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045790Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045789Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045788Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045787Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.804{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1C19-6136-0F09-00000000F001}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045786Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.804{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C19-6136-0F09-00000000F001}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045785Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.805{323FE7D8-1C19-6136-0F09-00000000F001}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045784Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.535{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B005F0C9B514A0366D16CA8AEB5DAF,SHA256=78F11B9A6BC9CB0CBB80F08D37876E2384E80A33916CBC3A6166C3F7E46E57AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026902Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.330{FFF7FB96-1C19-6136-8806-00000000F101}40003596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026901Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C19-6136-8806-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026900Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026899Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026898Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026897Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026896Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026895Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026894Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026893Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026892Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026891Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1C19-6136-8806-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026890Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.111{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C19-6136-8806-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026889Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:09.112{FFF7FB96-1C19-6136-8806-00000000F101}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045783Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.384{323FE7D8-1C19-6136-0E09-00000000F001}53846236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000045782Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:06.751{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51745-false10.0.1.12-8000- 10341000x800000000000000045781Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.188{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C19-6136-0E09-00000000F001}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045780Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.185{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045779Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.185{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045778Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.185{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045777Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.184{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045776Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.184{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1C19-6136-0E09-00000000F001}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045775Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.184{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C19-6136-0E09-00000000F001}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045774Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:09.183{323FE7D8-1C19-6136-0E09-00000000F001}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000026905Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:08.882{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026904Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:10.142{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4B2D185221183BDED925390DC256C19,SHA256=18DEDEDE01566D5C91C95F8806BAA1F36E16E49ADEB4725B5B29A1B64B164353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026903Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:10.127{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0240943584EF7E156A74F88B8B0C0A,SHA256=F4DDBAA9C9C015FE88BA4C2D8FB1728B11BD974FBA92D9930CD9A5326A6C76DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045794Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:10.550{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EDBEC206159A5E97A0E26CB5C3E407,SHA256=7D6B04230904CF14D1E5011F495A72A39C79F774B00C4AEC2DC3D0E74E50F824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045793Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:10.219{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D03A583CA8420C94274EA701C4A944EC,SHA256=558E88639ABBBC1E1C3F8BB3E0CF4D9D86165FC0D100DF378252BB777B7FB455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045795Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:11.582{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BE04098DE6EF23774A1B9F5FC13989,SHA256=F136B4147BC3EE9EB39B136C9E1D6C46BFB53BF1762E26F55E2AAD97310DAF4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026906Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:11.361{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACBD61EFBC13A1C57B5F1C53CFA45B2,SHA256=5C99BB135040572CE3325DE94223A537FEC9A7899385E40686B911BFA7A07608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045796Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:12.617{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00BF1B312B9E852AB117E21D7F98AFC,SHA256=7B339FCC026B9142CE677145BF48BB9443B731D197B141FC1BEC13EE118C508B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026907Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:12.361{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D5B038FAA33908E3ED5C46CCEEE6A1C,SHA256=1673CB3D9E3E175226740CCC390885B1B0F8D04E77B2F44A81A9984FAB58AF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045797Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:13.648{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E9D820771A97A58F635C68C05F6057,SHA256=F57CFC1B86B530F86E31BAE1398DBCD8FDD643632257848C4E4D5972D337978D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026908Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:13.408{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FA3BC56AA1714A346FDA3EDBC895A4,SHA256=D2A928C23E17791BEB509EC391DAA482EB4D82C2896112D20D6F77DF3583D649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026909Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:14.424{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3842E903EFBB1648059B876A3856FEF,SHA256=28A1616EB297F12B4A3BBB41FF9B594D5B50A892265B88B0E302318FAB9C47C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045799Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:14.662{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2ECA5A141E9E53829908DACD02EB99,SHA256=39F28AD2B757D6E78ABAD58EEF56E903C9D6CB4959FEFC240C3657285268F98A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045798Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:11.771{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51746-false10.0.1.12-8000- 23542300x800000000000000045800Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:15.680{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7D2E172F89EF07B05A07B054405E18,SHA256=F367DDE431D9EC82C2586778AC66388FCBF963B0FA32F27461609D0D580814BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026911Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:13.962{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026910Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:15.439{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A57A5C6674EBE2354A1D52EC8AE053,SHA256=19D61F5274FF685977D34D9430B4A95031A216FAA8BACCF2AA84C5545D2FB047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045801Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:16.698{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5570E7D537D7049E59565BDFCEFA785,SHA256=9B05FC829EAE324FD3880974954279139D43562A41518C008A3B3C0CC032EDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026912Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:16.455{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8B247166AFD7A2D7F753AEF9149024,SHA256=2478E7427561E93A4BF6EA5B8750A9B3304407788D3CEDBAF27A6F0D6712073A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026913Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:17.486{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7F982E62408E85908928838E88BD77,SHA256=3B1FE490D1F57789B3C503B26246221638E1CC92A036A167340B3804F1AB6664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045805Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:17.713{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6C112D28D558BA03682D10F5CE9F19,SHA256=3E39435654B01AC1A86CCC55CA4842243C24FCD111AF1D7D9915CB1A9B076680,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000045804Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:48:17.429{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000045803Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:48:17.398{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Config SourceDWORD (0x00000001) 13241300x800000000000000045802Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:48:17.398{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CED8D70C-FDB7-4280-B713-3A56B1B8A289.XML 23542300x800000000000000026914Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:18.502{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E20EEB762B64E6526E2F562BA03BB48,SHA256=44A5652A83D445DF2FBF78A99AE34EFFA3011A7142B23CE40374592822840DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045808Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:18.728{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B352C8100F7276267DAC82F841CE3A08,SHA256=A5BA22EFE364039946BCA49D59D31F35060EF274DD31E0CC8C0E6D33AE980799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045807Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:18.460{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B22EF71D286FA11398D5465C73A378D,SHA256=64E3AC03308EA154C2B05FCDF760537A157FBE617C35C0A42DE6B02229124B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045806Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:18.460{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BB29CE2E78B61EC1965E6CEC75564B4,SHA256=7B0C32546C95259612A009EAAA556EE7C8E95F67362034E493F43E9B460258A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026915Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:19.513{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5ABC5F83E8DA6DA1D309D1A08E7CB4,SHA256=AD5572CB34FC0D42442CD74F9B1ECEB627A0C465B0ADF05A4C71B832D006BA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045815Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:19.778{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E072E6FF87082AE42DAB628637574B8A,SHA256=01E71B51B40BF78C7D88BEAC60B2E4E63FE7DD1695E51638CC262508AA764251,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045814Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:17.029{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51749-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000045813Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:17.029{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51749-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000045812Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:17.022{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51748-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000045811Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:17.022{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51748-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000045810Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:16.991{323FE7D8-022E-6136-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51747-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000045809Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:16.991{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51747-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 23542300x800000000000000045817Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:20.876{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2016F0888362B3DA079573B95E56B5,SHA256=DE0678B04EEFDC4F9762E176BFDA0122DCF4AFC4FAC9CD50FBF24098E8E1BFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026916Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:20.529{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CB0431578A1D349AA1C4EF296F0F6B,SHA256=3731171714E6211B07F4742E81697CB9CE3D97E117DDC36FD260420B236647C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045816Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:17.704{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51750-false10.0.1.12-8000- 23542300x800000000000000045818Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:21.910{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74826C4AA6FC31E2DF5A4D14C83B822,SHA256=9DFBD5301A622E770BFCD48EB977D7AC1E97D4B0A8437815A0B5B7CFC48A23CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026918Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:19.050{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026917Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:21.545{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65B0ED75FFF4CB23C80F9CA32C65E9C,SHA256=E402A93F51B8439FC18C5611196C179E71D1BBE74D3DDC5562E77901B62C65B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045819Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:22.925{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62085C1E34B09549B0D8FFEDC9837B3,SHA256=F4017519FC20A68D02EBDC67348019FA10C60322887F4BDE8A722FD6B052AAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026919Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:22.560{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8395A19C645E9824B11DBF70569D34A9,SHA256=C2F103978BBF1879E0BDF6E2E0972D4EECC6F13CAE10C16A138B19EDAF8DCE38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026920Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:23.560{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCD8947890C3F33F8CE5EB67903DD98,SHA256=9CC43FF237170912E60CA19474F3A8AE76975D01A5FB27AC24518AB4655EFA7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045820Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:23.940{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE4100CEEC036CD07033346BCDF3B28,SHA256=688C03476991B769DA7083795ADF8DAE814B309029F2FB0B4BF22DFFB5191361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045821Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:24.973{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D5951C53327A5CA0037DD94F84CD61,SHA256=61A006ACCC8B3ADD3EC706819F6C42A7DF8A29D479E8578196ACA9F6D8F6CFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026921Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:24.576{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749820E58F15FC353C2615EDB1E7AF5A,SHA256=7211664409E3450D2F23A0B0C1A0B089F4AAC2E28AB1303D68564716D83D896A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045823Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:25.994{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35785133D0AF2D94D53138A504A2BE48,SHA256=73CC0B821752C0BB4C07FD7C4F9FB8D623B1E460F75DDFA72B502D724009079D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026922Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:25.576{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E923F268026FBDDA8639F48ED7C404B,SHA256=29CD59D7FDD8A05010E969D0CD08DEFFFEFBD1451E276AD90A9871AB06EA3875,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045822Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:23.633{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51751-false10.0.1.12-8000- 23542300x800000000000000026924Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:26.581{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A1397FC4CF0824E4F56EC1C24EC662,SHA256=C9DBA94DFC84D9D6689C874F2BBFF81B6AF3C138868AAB86FED7056F7C21EAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026923Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:26.221{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-099MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026927Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:27.595{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83CD15F4334D85633F926579DD06F720,SHA256=05C08527DD045FC150673B9D349F36315872E4D854AE7A958AA80A82BB2E0E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045824Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:27.025{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189622CA1434FE7167133DDF5C0A701D,SHA256=16FA46EC4FB8524A5947810480375FC234485D8E4DC1E693696D75245DD8FFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026926Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:27.223{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026925Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:25.096{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026928Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:28.598{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4500CAA8707676FE0E3807CA80BC25,SHA256=806566103F03AC4C8AC03EB15CF48B491E8678FF95D3428F707C8F6E9B6E802A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045825Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:28.040{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466A3929EC173CAD3A86F7C0FED673B6,SHA256=BAF167842F811E6C336B6410F4447C0E178B80E385DEE21B9AB1C91D6F522F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026929Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:29.613{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE335D4273AC235E7AC95D215069BF01,SHA256=80E68D115D67939EAC948C783F3DE5C835933DFD895157158E8443BC32419603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045826Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:29.040{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C06AAF810C78C2C04047176AFD212B,SHA256=DA3B7E569406D941ACF792647EA742C7286C0D39DE2CFA2E875662F3144A1FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026930Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:30.613{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB48E2C269E50F6C27BC637E95ACCCE,SHA256=843DC4FFD90E0C000984B31AA9873CD0A033E97E22B951D0010C581911786B34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045829Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:28.647{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51752-false10.0.1.12-8000- 23542300x800000000000000045828Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:30.392{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045827Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:30.073{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A62347C351E2D3EB1F93A1F2F87946E,SHA256=C894CA0F26C858A852D11A6F2D98DF4F1AFE6D5D91BCEBEE2204865F32AECE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026931Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:31.613{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096C72BEB6E0831B01264ADE1CF56BB3,SHA256=D924DAFB9FA541821DA6070E91F7DFA36AE0D9358078A93E5A129C6967AAC929,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045831Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:29.962{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51753-false10.0.1.12-8089- 23542300x800000000000000045830Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:31.092{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543992868D9B1568892B94242CB5D1BF,SHA256=0BCCC5A7DC2C96E0DF0C9F7F26E2119A673B25938DA6B5460C4C1A110F913CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026932Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:32.629{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE711A5E92CCABC1208BA8239630D31,SHA256=1570E3886E97813E503D558C1FF52083C20A63876D057DFA9BDB2710B19599DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045832Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:32.107{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A446935E02D1D77B0BA422E0EA5F6C5E,SHA256=A7F191FAB65A3E42307504FA546A423FBEB50B0E08F9D9A6A72D8E5D197BD627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026934Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:33.629{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8058D979105A029B3F36F4A032BDD3,SHA256=80FAD5F5C8EE862476BCA9DBC6E82051423E394D0FC380D131AFA94522FAD7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045833Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:33.107{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC073B8A109CE322D4921C887D9F60D,SHA256=D1773DA3581990BE317A8131FC8D4F587091D11FB58B02D2B85878EC7BB7D2E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026933Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:31.040{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026935Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:34.629{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474674B99A04275002A2614EF677A37F,SHA256=ADBC77A588C569FC94BEB7C81F778DFCBB519B66B8F3E5D22A506BA7E80A807A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045834Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:34.138{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF34BCEF1DD9E4A5F897C6F4CFCDAEF8,SHA256=EB5831EF219F467F9072D6F7F0723A30546AF095926A7B54F501A44FE76E8244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026936Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:35.644{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC86D61F53B00EF46E4822B274B20BB2,SHA256=EE21AD4BF274786246BA10BE21F2C36BFB74F53A146C031BDD18DE8A2B5B96D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045836Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:33.745{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51754-false10.0.1.12-8000- 23542300x800000000000000045835Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:35.153{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C424329C88E6062236EB957CCC1AF1B5,SHA256=6B66230E465B6F61B9212ED48F4A8D9467EE56BB1C1DE54C4346B2ED3E29D136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026937Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:36.644{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A30F576BE0FE7C056F9336E98E615B,SHA256=EBD744701B0D030DE4407CBE967BE370F42C5831EEF6C6AF46E880286EC1A50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045838Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:36.290{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=98A8B2E403749B31484A5DE41646CF5B,SHA256=50964BF9465CB1D73EE2A340097D380D99547489BDC1FB8D35A789EB9C4661CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045837Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:36.171{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB9CE345B1B4E0CE596C3A27B30586E,SHA256=EA91491B934C82907C6E3985757A851AE78F4417836C60949671F6A2AC72AF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026939Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:37.660{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6745924454F39DAD2262101109F10C6E,SHA256=FAD120E470BC2A2779818C62FB896F59235AB92FD51B72443545DB1D4CA6B5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045840Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:37.957{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-107MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045839Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:37.189{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C64856FDE816A9D0DC75F019724CCF,SHA256=B40FFEBF25F4F48D32D0AFFD5A294C8056AFF7ECB868FF9F1000AE9F07DC326F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026938Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:36.071{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026940Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:38.676{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9D74C7636698E5789A47DA016F4DA0,SHA256=B0B66D4763188D1738E346A3FD088DD0F58E8C65A390D2FD75493174B0163A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045842Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:38.952{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045841Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:38.205{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6D4BCC297AEC910B8F5D450A81678A,SHA256=3F9FEAA891F28E76B3D9C81C3D86641F335DF2E3E4985ED013C9CDFA65128CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026941Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:39.685{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D69243F4787EACBDA00C48B89366E1,SHA256=24598C73F95B3EE1DDF2A8FB55368B4E58CF143DDA7DA52AFF1A501DC404BBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045843Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:39.220{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A74CA02C2B60C1EAAADEAC3FD9CC800,SHA256=0AD825EE164B6383CEA451885AB67C2BBDC647FB933E539E3BEF1B479F1A048C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026942Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:40.685{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCA7F1FB51251639A51EC46E2DD5386,SHA256=3F4CD1CDF74CADC92486A92E563E41911C470837ABD29F1CC9A3898C5AA5ACF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045844Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:40.235{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E28AAAF03268DE5C999D4B5379780D,SHA256=E50FECD2CEF0F2BBBCFD5E2BD58C0DCECE00D50B6AEB37AB14FD78C3BC9FEE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026943Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:41.700{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B43DB25430F6A6FABBD3E09B3FA439F,SHA256=B48853FEA6C3B3FC801AD5E4128C3F106F57267EB389E062C9051F3539941B72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045846Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:38.842{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51755-false10.0.1.12-8000- 23542300x800000000000000045845Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:41.250{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EDF7DC0A30421C6D00DDDF92B9DB04,SHA256=C0103A2A7D142380E229E505D3535B8B80D62049CCD3F7993CECF0B591B8C745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026944Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:42.700{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798838168BA50AFD456543FE0E42F3A6,SHA256=EAD10D7CA4A56EF0CBE82FF2BD2579F50CBEDA502E3494EA8D9000F18A427CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045847Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:42.287{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A1B584C75D83C81E97EAE0F0416D7C,SHA256=9E96FDC7FF64D56E208E7D9619EAB7C27E79F31F9A829130AE0443F973BB98A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026946Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:43.716{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFB33DFE2834765FA40AA7BFC6598B0,SHA256=660DF734AC238780792A3099867509584F926BEBD1A73582CDF977C65BB5E3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045848Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:43.317{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74EB3E3D5932DD35E584F76B0B8E2D8,SHA256=816357054AB93C494C3E05CD019A8CED197D69BB218D1DDD5458A484937CEF3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026945Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:42.096{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026947Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:44.716{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4825DCD7DE925929EAA928EE0867EE,SHA256=1B2B836FD903B4ABC4CD9AD5EB86055BABFA90E58E05CB75EB8A7BA0AA2A6036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045849Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:44.348{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975A832AF3602FAB8607C0CF95C5A417,SHA256=AE23DA68C4F9F3397FF57F312D877697EC7902098F9059084D7C1450DC1D3131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026948Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:45.732{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB18497155EFADAD227DA56C4C8AE12,SHA256=2033DD63B92F4B81061D10C5409AE3320F88BE47DC5D98A847F222474E6090DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045850Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:45.385{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F16C5032B5002759DE0567379515D8,SHA256=7FEB81EDFCD744B6A1321A1828E7EE99D722C5EF7FC3944A1B21FB2C38685C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026949Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:46.732{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5914635F7B5493B702F81A3C61F75FE1,SHA256=B2522709E0BA78ED54AF4FDB681965C1A8CF092F576816E4CA6F844009CBB8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045851Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:46.386{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBCC499BBA496ADF24C88913778D59F,SHA256=854186BB0E55A40EC64103217BCAB2674EB1C18597F90F9AEE34263B8154FBC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026950Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:47.732{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098B49FAB5D4039AAE1DFA137B1A17FC,SHA256=E080E1C43EBF2B4777F4E19BD2EF9C4CF86E5D6CF13C264123602AB860430C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045853Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:47.401{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB8E1DC3712CB4533D67CCDD625A042,SHA256=BB9FCFFB58DD1537F48D5129F0FBBEAD4ABCEEF753216A243847A4A212A7E37F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045852Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:44.692{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51756-false10.0.1.12-8000- 23542300x800000000000000026951Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:48.747{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5ABC77B540F830552D2CB6125DC2A4,SHA256=C9088BE7D27B2FBE15D558611B36A49AE1F8DF8C8D392AE718E6D2205F95B413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045854Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:48.416{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9607002BA12DC5AAC68CA77D7230B2F,SHA256=918CB53FF8CD861787E9685F7ACF0E0FEC9AF4750453AB43AB7762068AB881E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026952Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:49.763{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15FC03EDE8574E54487AA3A7E078831,SHA256=D0C73C1F4725AADA35B85ECEDC6464241773BC87ED662248BEBB89E05A3FF7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045855Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:49.446{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696A984320F1E559ED07753DCEC09FA0,SHA256=E393379EF68ED033179C4E756E8DF16B5CC9643CA05814EC48552D3A93022271,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026954Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:48.112{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50991-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026953Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:50.763{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586962C0C0C0907120B4976BA52F6AAD,SHA256=E3A95F5D8889A6984D21B94A14AE1D18744B97A4A788F589727B9B560495AC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045856Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:50.466{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F840B29F3E8C8143F29CA288C7FFB4,SHA256=33F09B2CF8F755965EC26EBA0D920729CC6FBD585DABD31F942353B63914443E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026956Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:51.778{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60F3B66F621C77D0A60F2C01BB8C028,SHA256=B4E1587542228C7A8F6A37B34F50B5D3A1C6A600E741985D5DEEB59181539252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045857Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:51.482{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98C78C4E0D1857893FA2A93C9B544C5,SHA256=3A662CE12EC50A890C3C84A833D43D79585B777ACF9EEB227A888E43912EC7BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026955Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:51.653{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D9947A6B94BCF0C2BEE618F6942310BA,SHA256=CD9E01FF216202EC594D63F88CB2DAD36EE3445B8628BFBFDAC884486DB52FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026957Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:52.794{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6371173A04BA26B3806633DA03FE7AB9,SHA256=B6226D9751BFF05C668B28B653EE17C2BCF972B9F4591BEBBDDCBC67002ABDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045859Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:52.513{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED2A96AC68F5788596AE21F7BD92AA5,SHA256=A6B5408BCA9386F042968D322142B6C0CEA518270C3D934F658A69D772FC692B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045858Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:49.837{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51757-false10.0.1.12-8000- 23542300x800000000000000026958Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:53.810{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0E61C2F383A67A61BFA35C55DF05FA,SHA256=97D5F13A024C77EA2FA95003EA29B2450877F7CE64C65A12E6556E017A951943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045860Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:53.528{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F4A388FC02A331154F288650D9E750,SHA256=36CFFD90F8A72637079396BA1AB740A78CC08B6ED9842FFAF41C049ED675F47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026959Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:54.810{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA789454349AD493E9F608FD62458C03,SHA256=73A3978716BC72A29AAD9EBBD7D88DCE7A2EF1C6BF719D2113A7A266F074938F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045861Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:54.561{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3D48D3F77EB7508C2C7183FEB6AD10,SHA256=8BFD44B2B6E019BC2858C51D46C7B1C40413FFF4B872B228690D64B571C7922B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026960Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:55.825{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4325A17310E9969B56F6B80093DEE7,SHA256=6A5EA78E3D963AAA651DE1D9C2AE49938EF668930946760376CF906841811271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045862Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:55.580{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5BBC25D8A8CAA6821A96FDCF34D305,SHA256=24D279577EE774FB6759A756AC35BE974E3DE30EAE30A8E924FF35DE2C3D6AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026962Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:56.841{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB9558907FFFF8307259EB10ED60614,SHA256=D95EF8EABF42B53DD0BD4E973A743E1621FA7617486B463C4EBAFE834CDAD1F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026961Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:54.049{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045863Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:56.610{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183C56D067D29BFACE15B7331AC61CC6,SHA256=F5DF2639369C788D1A5264EC80C78FF7C6898EA9B1A081C0CEAF3756B04581CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026963Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:57.841{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380FAFBB9A211C83A23F64EC1A8C7889,SHA256=8255A314A8746CC964F1D94F3C6704EFA798B731AC52189A159ED098FC3806FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045864Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:57.625{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C24A51A42CC73A1133BF6971CA440D,SHA256=FF704DD3F7551C2D6DD265B75135E8EE08743D309A1B550005A8D5CDA0929466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026964Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:58.856{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F243049E5BD01F14A151F080BC819B,SHA256=19767C78809D4536B3315CE0420DCA97E56F911BDBF97C578EFDE0A799FA3FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045866Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:58.640{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9873F2F9A31A00DBD0CED2FA6F0A9880,SHA256=34568BE0DA2547A240ED99F3E52D73F48347B26DDBAD7A3FCCFFD4B95790D5A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045865Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:55.717{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51758-false10.0.1.12-8000- 23542300x800000000000000045867Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:48:59.658{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4783A313538C2CA8A1608FAD1A837982,SHA256=94EFFE5E56AC77E4A0D9B022CBE727BA8023A74D563D4E89CD2AF9FA4C76FB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026965Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:48:59.860{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF7CA0CFFC8A98ECBABAD37CF85C4EB,SHA256=EDBE9F021A3B826751C9F7D3155BBBFE42E947D3995634432E731F7B90D9CC14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026966Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:00.860{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A8EEAB9570AABFE442C2469B79D228,SHA256=AF1555DCE26F7F1483256D48C5583766129EDAD1B4C92828D0179AD1675CE53E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045868Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:00.676{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A454296BF1D9FA225E8D95D7BD1D3DC3,SHA256=93B4449650B5768EE621CF1EBCD57B38A114E11814E9A4A2E1110541507E34FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026967Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:01.860{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C53CB634CF1006EC3C69E7FE143160F,SHA256=A006B86797578EFB98B08979C3E3ACCA2003267C89C6554B5DF375FFB4104EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045869Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:01.691{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD58724A1E904280406F459C574C421,SHA256=8A27B7EC7888563F4B84E02AA3DCB70778DD8BAECFA914954BDAFF7517A4E7F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026969Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:02.876{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB446AD03ED93191BFF7BC373A6F1D0,SHA256=EF5CE3AF752DEF8C8BE963526926F01725F410967B90252936E23315595D558D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045871Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:02.722{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D191E1A085ED7C7CE01B61AD471462B,SHA256=720F5853EF38697703166A0E8BB00E31C8AC29AAC4CDD69420CCF1004EE9F0D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026968Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:00.037{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045870Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:00.767{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51759-false10.0.1.12-8000- 23542300x800000000000000045872Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:03.737{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243E8399F4408E69006898BFC98C2F34,SHA256=E2B09D6FEC8424F2DCE0AA19779A02958E12154CA6BC6F6A174BC8159EA6C809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026970Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:03.892{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86702DFB021B2E3954F12B65D29A29E4,SHA256=9717AD78606AF34AAAD7E1B08E5423B2B9D856D2D34BCB6E67F32C5F3DEA8E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026971Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:04.892{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAA0C0C12A741B5C9668661A3EDA822,SHA256=4C566E0B456E81ED83C7300404B4E0D9CE1B1CADCA4297564E0D69304C8A82CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045882Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:04.758{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FFE12B76C0AD15226E4B06C944D83F,SHA256=390693FAC121188798113F15660A0A02039FCF18BDB546249E7711B4C73CE5C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045881Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:04.705{323FE7D8-1C50-6136-1009-00000000F001}44363836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045880Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:04.536{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C50-6136-1009-00000000F001}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045879Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:04.536{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045878Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:04.536{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045877Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:04.536{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045876Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:04.536{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1C50-6136-1009-00000000F001}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045875Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:04.536{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045874Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:04.536{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C50-6136-1009-00000000F001}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045873Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:04.537{323FE7D8-1C50-6136-1009-00000000F001}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045901Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.773{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EB7AF86C686D8265B4E4CD4B5A0894,SHA256=E415E1368F58EB2385D0D3A5043720909866633DF89BD92CCFDA1728D4C386FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026999Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.892{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026998Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.814{FFF7FB96-1C51-6136-8A06-00000000F101}3372916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026997Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C51-6136-8A06-00000000F101}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026996Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026995Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026994Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026993Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026992Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026991Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026990Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026989Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026988Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026987Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1C51-6136-8A06-00000000F101}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026986Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.673{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C51-6136-8A06-00000000F101}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026985Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.674{FFF7FB96-1C51-6136-8A06-00000000F101}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026984Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C51-6136-8906-00000000F101}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026983Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026982Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026981Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026980Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026979Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026978Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026977Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026976Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026975Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026974Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1C51-6136-8906-00000000F101}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026973Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.001{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C51-6136-8906-00000000F101}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026972Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.002{FFF7FB96-1C51-6136-8906-00000000F101}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045900Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.757{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C51-6136-1209-00000000F001}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045899Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.755{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045898Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.755{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045897Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.754{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045896Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.754{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045895Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.754{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1C51-6136-1209-00000000F001}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045894Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.754{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C51-6136-1209-00000000F001}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045893Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.752{323FE7D8-1C51-6136-1209-00000000F001}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045892Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.573{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA8810BD48078D69D49883CD3B05346,SHA256=D556ACF09F3805ED84B2BC249DC8894D631BA273A63B1D981A9EE7C979FF45DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045891Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.573{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B22EF71D286FA11398D5465C73A378D,SHA256=64E3AC03308EA154C2B05FCDF760537A157FBE617C35C0A42DE6B02229124B81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045890Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.136{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C51-6136-1109-00000000F001}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045889Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.136{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045888Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.136{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045887Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.136{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045886Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.136{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045885Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.136{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1C51-6136-1109-00000000F001}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045884Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.136{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C51-6136-1109-00000000F001}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045883Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.138{323FE7D8-1C51-6136-1109-00000000F001}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045903Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:06.804{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C51721DA1DCEF55DAB8896175DF8E2C,SHA256=137AC6801F7712E30CBAFAEF90163DF0A2F59F84F135697F584039DC12000D44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027015Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C52-6136-8B06-00000000F101}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027014Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027013Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027012Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027011Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027010Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027009Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027008Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027007Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027006Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027005Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1C52-6136-8B06-00000000F101}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027004Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C52-6136-8B06-00000000F101}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027003Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.345{FFF7FB96-1C52-6136-8B06-00000000F101}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027002Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.142{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06FA6CEBDF974966F2E334F2CB6338CF,SHA256=AFB4EC3E907885C6EA451B4C4F0FEC25A4444F37F0990BF371626A8AA9838877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027001Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.142{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479F3238CE193AFDCDC411D129E4A3D0,SHA256=35043BCFB082709A9EADF1F2940BF53513959C2FA0813575E8FDD2390FE20718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027000Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:06.142{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7728B0FBD7C6AD1A542A82B225CFD1BE,SHA256=4A49517510E946661D81B3D2A1A3F7AE2798E5482DB5DC1C567B0D13BDD75D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045902Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:06.736{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA8810BD48078D69D49883CD3B05346,SHA256=D556ACF09F3805ED84B2BC249DC8894D631BA273A63B1D981A9EE7C979FF45DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045914Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:07.957{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C53-6136-1309-00000000F001}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045913Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:07.953{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045912Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:07.953{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045911Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:07.953{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045910Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:07.953{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045909Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:07.953{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1C53-6136-1309-00000000F001}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045908Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:07.952{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C53-6136-1309-00000000F001}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045907Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:07.951{323FE7D8-1C53-6136-1309-00000000F001}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045906Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:07.835{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369876997B3F708E782C8981859AA607,SHA256=739AB01030FFA5044C558DA49881CA8825BD7227ED7204EC618204496AA988B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027045Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C53-6136-8D06-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027044Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027043Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027042Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027041Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027040Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027039Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027038Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027037Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027036Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027035Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1C53-6136-8D06-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027034Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C53-6136-8D06-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027033Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.801{FFF7FB96-1C53-6136-8D06-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027032Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06FA6CEBDF974966F2E334F2CB6338CF,SHA256=AFB4EC3E907885C6EA451B4C4F0FEC25A4444F37F0990BF371626A8AA9838877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027031Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.798{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723C670D8B09A4ECC1D7E6AF5A29B111,SHA256=579E3A8C29DFA22AD89A274A7A7E1CB4517FE48E70EC408EBC1C420834AF169E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027030Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.439{FFF7FB96-1C53-6136-8C06-00000000F101}35642888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000045905Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.265{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51760-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000045904Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:05.265{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51760-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000027029Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C53-6136-8C06-00000000F101}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027028Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027027Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027026Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027025Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027024Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027023Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027022Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027021Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027020Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027019Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1C53-6136-8C06-00000000F101}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027018Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C53-6136-8C06-00000000F101}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027017Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:07.267{FFF7FB96-1C53-6136-8C06-00000000F101}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027016Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.725{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000027076Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C54-6136-8F06-00000000F101}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027075Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027074Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027073Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027072Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027071Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027070Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027069Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027068Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027067Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027066Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1C54-6136-8F06-00000000F101}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027065Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C54-6136-8F06-00000000F101}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027064Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.957{FFF7FB96-1C54-6136-8F06-00000000F101}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027063Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FE85274609899D32953BAC19121421,SHA256=B475CA0BF106E46BF34BF5C2C819E1EE46C87127C9F1DB9D1B315874BC6A56F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027062Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.954{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86D5A5CB3E2DD24931624974779D7C85,SHA256=9FD5DE70BBCDC75A976178D5302EA179FC72F02341E9169CC037C05F2DFBAE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045925Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.867{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F581B495CCAE4121F68CC32EA29235BE,SHA256=E16E34E15AFC5ABA10D2A9290BACD497A7B48F7E55777F09BBCCBD1AE7392EB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045924Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.799{323FE7D8-1C54-6136-1409-00000000F001}47161360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045923Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.630{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C54-6136-1409-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045922Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.630{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045921Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.630{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045920Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.630{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045919Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.630{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045918Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.630{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1C54-6136-1409-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045917Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.630{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C54-6136-1409-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045916Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.631{323FE7D8-1C54-6136-1409-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045915Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.135{323FE7D8-1C53-6136-1309-00000000F001}59842880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027061Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.439{FFF7FB96-1C54-6136-8E06-00000000F101}1032216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027060Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C54-6136-8E06-00000000F101}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027059Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027058Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027057Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027056Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027055Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027054Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027053Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027052Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027051Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027050Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1C54-6136-8E06-00000000F101}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027049Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.298{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C54-6136-8E06-00000000F101}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027048Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.299{FFF7FB96-1C54-6136-8E06-00000000F101}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027047Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:05.944{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50995-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000027046Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:08.064{FFF7FB96-1C53-6136-8D06-00000000F101}1648592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045945Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.983{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C55-6136-1609-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045944Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.983{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045943Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.983{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045942Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.983{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045941Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.983{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045940Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.983{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1C55-6136-1609-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045939Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.983{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C55-6136-1609-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045938Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.983{323FE7D8-1C55-6136-1609-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045937Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.883{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0356A54714E4F881F0D05D12E11068,SHA256=A5CBF8DE703F403C6AA540FDF43BE116740698834CBAB2CC85FDE39EE3EF8B54,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045936Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:06.765{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51761-false10.0.1.12-8000- 10341000x800000000000000045935Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.483{323FE7D8-1C55-6136-1509-00000000F001}61004464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045934Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.298{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C55-6136-1509-00000000F001}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045933Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.298{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045932Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.298{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045931Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.298{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045930Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.298{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045929Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.298{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1C55-6136-1509-00000000F001}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045928Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.298{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C55-6136-1509-00000000F001}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045927Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:09.299{323FE7D8-1C55-6136-1509-00000000F001}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045926Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:08.999{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D27B431B49D40922D3C2A5AF870EF33,SHA256=D6D55D3A042D10D9F46E68E6558CAA4CD1F779521DB806F2C1AC38E69E4F290A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045947Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:10.883{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456336EC3B157CCDEB4F07733560AA70,SHA256=24D23F60A5260E67D768FAC1D6EB0666484C848FFAED1B5894D1407FD7A7F101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027078Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:10.173{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B873342D1698DCA66EDB449C01AAD0E,SHA256=5B92FEC5B00E81BF119D89BF5D58DF544F087BB661962F9E1EF732688312A34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027077Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:10.173{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD687044D18C4908A019DF21BDE4FFBE,SHA256=D329C0F53633D892776FCE7B0E7037E2A0D355722BEF4981CCDEC23CB25F234D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045946Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:10.315{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47C6FC1EA0212F5D93ECB7F3697F87E1,SHA256=52C90FC8543A86CA21BE63A80562B9634F0A46A99A353DD6DB83DEAD835CD16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045948Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:11.914{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888170655EC3707CDC53D97146A613CC,SHA256=0CA8DDB93616DCC5826D15657ED2E86A9519206661FC5BC900767BA25BEADB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027079Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:11.204{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4116251155BA58C9FA1EAB3CAAA758EA,SHA256=9E9E5F61843FE950735DEF4D80CD4012C87877D6C478FC41B4B54D3C64182E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045949Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:12.929{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36A487554CB4163B2D9EFF2698E341D,SHA256=5EC0EA57E3E7E55C11BE3FAF0240663B707E15873A17F1EF8CF4A1E43989809B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027081Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:10.991{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027080Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:12.204{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081CAA922019CE4B009A379B18EEDB73,SHA256=FE15B866A8BB3F94BCFDEA0FE4062C29A549564D5A4EA0BE663B61BDA95C24C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045950Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:13.944{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86E7ECF97863FC21A266759C4E49211,SHA256=4CEBFEBD09F069DD8F188B552550918719514727A13CEBDEF19F598A78B80FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027082Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:13.220{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB748BF99ABD84FE434A82D6369758FB,SHA256=9FBB016C16A8DA9A234DDBAB85B2A5042A807866E3366712CEDE5482FA4C5AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045952Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:14.961{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B85FCFDEA96D2373621AA81280B14CF,SHA256=6AD87EEDCBFFA607FC5CFFE59E1389440972F1E3ECD1AC3C0A13E9AAB22D97D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045951Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:12.773{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51762-false10.0.1.12-8000- 23542300x800000000000000027083Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:14.251{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A55C0AB517B25E8836529F8E577F236,SHA256=776D78DC02D1BA4C86A77193716A57F8216A2A3E82B2749C3BDDBAB90A41D877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045953Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:15.980{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FFF8D9BBA3622E01748577BEDAEFB5,SHA256=B75ABA1C3D5A0D26F0D6989A1242D9A53979FE802740A93E07E2FA414A280FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027084Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:15.267{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6E8B7617BC0538757574902A720A9D,SHA256=CE3539ADDAA61FC7E92F03C8740974F3DD5904A3341109C933C29DA738283D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045954Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:16.995{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC1A44E15CC3DE23CD9D5FFD57D8E52,SHA256=43C3BB2B5501E9B4E2357FCC7C8DF11233596365B6487EFC22F40FD8E63CF54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027085Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:16.313{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF400C4306A275A595D7E28BB02D473,SHA256=7CC794BFC9F86CC1D981B787E991FF2968FB1B6475F5B23AB9D0112D1AF8A101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027086Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:17.329{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8080D11C7249C5D3541257D54F74C7,SHA256=8C071815E8C181049BA6E61EFCBADEB22D37C13254A2144606F1714D799D5E92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027088Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:16.897{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027087Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:18.329{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18254A732448216540CD5FFA579FAB09,SHA256=FA67DFF0AB60F257EDFDABF99F5D38200EA27B6EF96A8D417378BEF770772450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045955Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:18.010{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7FC393F7AD09D41C68DE9673B995EB,SHA256=415B60973A050F364E5362493906AF02B8FC4FD977185A5697DD7B8F2BB786D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027089Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:19.359{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC75684083CFD617CBE15F56BF3F021B,SHA256=B8ECBD8CCDA5E6291A4214AA9F5E4E90C823AE175655C4D648B8DCC0282AFFBC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000045958Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:19.540{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\AlternateServices.txt2021-09-06 12:19:19.397 23542300x800000000000000045957Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:19.540{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\AlternateServices.txtMD5=BA9863E46C62881F04F9465747F0D98D,SHA256=97C581A44648CB196D5BDA1688DE0A798C688779C79082AFA73CE21926D5E721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045956Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:19.041{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935FD03973E69C6FB44B992532CF8BA1,SHA256=750BDD0CE756EBEE74D7763FC74D98CD7264404EC8F309BE3F628C3F3D64C5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027090Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:20.421{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A1D65AAD9797B9E9AC6601D7EA2876,SHA256=B25042044755A64E9F4BF29225754B0C658EDA6618D6D79F592CA78F00E00DB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045960Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:18.669{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51763-false10.0.1.12-8000- 23542300x800000000000000045959Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:20.059{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1FAA01562B36006D8B81A5C5A63EAC,SHA256=7F5B8E7008D2B1ACD8C074622B41A8C7336D3E4018F632DDBCDD738340230558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027091Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:21.515{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB4AF1F7B41FA67A47F159F770C5E0D,SHA256=BD25EE208554BEF586F0E4FCE3F381C46ED80EBCDB837BCAA13DA286C93E364C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045964Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:19.579{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-456.attackrange.local51764-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x800000000000000045963Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:19.578{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local65535- 354300x800000000000000045962Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:19.572{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local50616- 23542300x800000000000000045961Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:21.077{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D2DD82E7E42DED1CE229148B118C88,SHA256=E09B407B662547F6DA14FEAA272B6140EA79D3C51A58CDAAB3490AF4DB75E48D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027092Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:22.515{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A31F26F812F25BA2EFB90CBD35FAB83,SHA256=AB199D1C63B7F448BC031A8337D98AC6FADF577930FC58EC2272FE84B34367F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045965Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:22.092{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD097678F6794FBA76981C58E56E0AFE,SHA256=1EC5EC9355B2684170EC83C542265CFC8FC2B42E0CCF69B1AA7691F59029C54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027093Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:23.546{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A5FBCD5F687AD47334C300336B3FC2,SHA256=687AF846C97553B372A6DFD7F52B06248B966BD33A9AB5492C047F7D822B53FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045971Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:21.786{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local56029- 354300x800000000000000045970Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:21.786{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local50965- 354300x800000000000000045969Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:21.784{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-456.attackrange.local63338-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000045968Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:21.783{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local54453- 354300x800000000000000045967Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:21.783{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local65535-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domain 23542300x800000000000000045966Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:23.107{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4CAF7B6883FDD9D6FD28C0A771F712,SHA256=C41038D7901EAA50EDA29B50A00EE7D9C73F35B8B9A37891C267C89875410888,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027095Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:22.911{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027094Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:24.562{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C22EA841ADF22011AD60F82A9B35B3,SHA256=1C2C4E62E98910E731B8507BAB8FABCBBA04410FD2AC0524DA562E2C2C732476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045972Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:24.121{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7F1C1976CD1572506A83DFB1FF7A00,SHA256=C734F7326423B9CAC027BF229BA61550B8135364681ADBE4056C44DECB29B6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027096Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:25.577{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD25AD3396B1AD76C4C82C52757A482,SHA256=6CD3D087A1C5D4E2313B4054ACE370DB7128226558111E0C2CED74B310C317CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045973Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:25.155{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDF19007E1FE0A5A5A0B99E447616A0,SHA256=F5976A4806A09F869BC9A6E76028B94339785193AA4D48CA9BB35FBDCCD1EA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027097Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:26.593{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CC55FF6CCCEA617C652C2AA6442AEE,SHA256=BDB586020BA5281CB3786A64954A655CB5F4DAD1E010F2AFFA26BC3406F59EDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045975Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:24.696{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51765-false10.0.1.12-8000- 23542300x800000000000000045974Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:26.173{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C58AAC454CC1ED2FE16B39E36D8333E,SHA256=2D047A91998E7C4A1C1BF822AD7033EF766977DF270367A043FD26634E743EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027099Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:27.752{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-100MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027098Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:27.594{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E806AD8504726C03B5417540245909E0,SHA256=4C31E0E2BD171F23A30065B93EA1CAE8072A224745C6DE7CA768A8D2B20306A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045976Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:27.188{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AF125D68631B393A151EBD0429EB78,SHA256=166E88748E49D4924842F190C0BA169D406BF0A91F622859BECF2D2289625CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027101Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:28.766{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027100Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:28.625{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57F56777CC582756B78E02F2A822A2E,SHA256=82D04967DB9CAE1134255420FBA61A52490B4769391A0D5393489BD1C406B07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045977Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:28.219{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDD2744E527507DE3E565CB8624E369,SHA256=BDC5326CD60C04F0EDA218541E2CD32497421B24861119B63EA892EC348398E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027102Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:29.626{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54BA0049E17AF9280EE80AA01A37C7C,SHA256=40813402AE8942080D40A3706C89FBC59FCB7F3745B7A0FE719278026F8E2C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045978Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:29.251{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54A9D9C86F0130EE9D04DF0A69B1E25,SHA256=C941E320125AAD8AAA83E451E0DA18079C2F714A5E5425346DA015B4C5C7118F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027104Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:30.626{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BDF75E872E2ABC65ACA975D1FB2568,SHA256=1E92C9F20E5937AC67B7EE6B28165625C4B13C91CDD63F6E37E86855B664574A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045980Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:30.418{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045979Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:30.271{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465A5AFAF6E45D735C1F164EB0DC1115,SHA256=0D0361C20E5AF8E3C9CEBE549831626F1D8C056940B5C0FD14898EDE7D5672F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027103Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:27.911{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027105Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:31.657{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB23E4BF5070BF8D56B3ACF6EDA0A9A,SHA256=A3490B08ECE54CD63063824DC7A2EADEBAEE942BAB7093D67738FD65CBF4B033,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045982Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:29.993{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51766-false10.0.1.12-8089- 23542300x800000000000000045981Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:31.301{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A2080CB65C1909B85D4171971FB9AB,SHA256=A174010C1F203F0AD33441512E8C9AC5CB48DC1C47665CADBAA47AF23EDC4E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027106Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:32.657{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44C606C4836E69F3D636F70979ECA3A,SHA256=AAC0F2CEF33AFCEFDAB0BBCFFF2EE9D8ECD1522769015814CE8A8B5C6109C378,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045986Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:30.677{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51767-false10.0.1.12-8000- 23542300x800000000000000045985Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:32.316{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4738E443876535F2469541E87003466,SHA256=A944E99715A0FBD6B552569DD5A6EF835D54DBBCD4B23084B24FE44DC373741F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045984Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:32.201{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045983Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:32.201{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=73E5E46F0720C9D85C531252A79202ED,SHA256=67DCB36F7F753AF124141171E5AAE1AE165E03AEE0F3426AAF3A179241397305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027107Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:33.673{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052CCEFE4C4847BC3082372AAD7B3D17,SHA256=F9D80184F3A320AAD773B5341FC5612CD51CCC2AE3FDEAC7EAFD6E191C8C8DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045987Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:33.331{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162813C881E06DB7752BAA1C55DA8164,SHA256=406BC625A335459C5114209472A31F84E8302C2EBF7C9F3E9FBB785A343AF78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027108Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:34.704{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1217B754B4AD16AE86AA8A064140D2,SHA256=814D47943997D55ECC20395D472D532E122CBDB657190E49BE4902F14E4AE747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045988Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:34.348{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AACFC7063DE9F6FA44075D83ACB470,SHA256=4E6660EFC5FC1757F6C866F10F39429E0B3123994998ADEED2635F0208C3B6AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027110Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:35.704{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEABE89BC510439517C7CABC653359D,SHA256=0A1D048F2F35E73C88532477BC6FBB5335FF5DDD42F217A6DF0138F5B188C044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045989Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:35.367{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3194289DBF2B83281A763DB7C1E1CF1F,SHA256=1C59EF8885A88798AC991717BEE12FDB9E56ED2490A2DEDE64921FC696BB55E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027109Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:32.944{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027111Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:36.735{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E80D3C4823308FF5FA113AD4D133DB1,SHA256=7728C9E9917E6F536533B3D17418F85655B30B69FD00F26F2BC1839937178AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045991Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:36.382{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D28FF75A7475AF10D78E470537CEA07,SHA256=C48D011AFAFC3B67F2B16DEF232CF094B9B40A7B5241E52E93544ABC45C0102D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045990Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:36.298{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FB850928E32A16D29DF2BF1D0A4B41E6,SHA256=B0BB0689752EF28B87F0874358F80F69992C5AC351E111DBE25EC2C2A4D0DC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027112Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:37.735{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438C1D1A6F7146B0269066420635F10C,SHA256=87BB58633B830224009108BB4806420A3B56BA88ABADCDD4B2287825515B77D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045992Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:37.413{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A30E4E7B51886DFE74258537E29BEC,SHA256=70728E7F8111442F54565947079E27A5EDE7D665359F263D1636DD631F5E7C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027113Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:38.751{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DE6A32DDBE676B583CDE1FAB09EC57,SHA256=AC3707600DBD67102BB62A04B4C6BB95BD5E1EFF26FB6EC0C78E44E961B5778A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045993Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:38.428{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77DEA8075F3752BE8054A049587439D,SHA256=4360E60A10471BD7DC4866BC37245C576CCFA22FA921ADB2A83FB2AD0843E167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027114Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:39.754{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EE7C0AAC5643EA15FDF08CB449CC91,SHA256=432F31C33C3A1A9D031C9E339E8168DDBA99096E1889BF039650506A06F8C1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045996Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:39.484{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-108MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045995Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:39.428{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7607C23C77A5C659E3301A56DE9F4D,SHA256=98A744D8E01DC01543BE92C310898017C9D23B4015A99EFDEF4EE1B93356F268,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045994Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:36.673{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51768-false10.0.1.12-8000- 23542300x800000000000000027116Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:40.754{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB9AB6C46EB77AD8C3F9C50330BCFB5,SHA256=FAE934D348D0ADE9137EF64279426D020942CAA462F0101D6B33325358844FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045998Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:40.498{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045997Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:40.446{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B32EFC35433850C729005CF8145DC5C,SHA256=9EE716FC37F1FB628FFD5C8C8879F6F5E26D5AFD7D8AC6BD6335FD3208E5D24F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027115Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:37.990{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51001-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027117Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:41.785{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A14277F1FB2EFE4B5FC166BC17FA30,SHA256=39B23C145DF02806BFAA3BF5637498D9FD9813AEF3C3DEC7618CB942FE057E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045999Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:41.460{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB01E8CD54CEAF3AB8527518D26157A,SHA256=062E9EFD889B8FF52733B7694650A8A192FF7803E492AA86AD2A8ECC529A5CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027118Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:42.832{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0C48EC517B53B2CF5345929BF5CF24,SHA256=A3F5FCBC39627B4EA4940C4B3CD1B6D937A5646A31F002841EBA3709F891114E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046000Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:42.478{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9825563ED8CE58DB1C2524C2D4AEA392,SHA256=4F00B1FA5C36BC2CDA49B412B66A8BC073DDB286E2E321BBADDF3C3C9B36E29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027119Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:43.941{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825E2ABAB00D1F109CAA2F3BC6E8D8B2,SHA256=8A419EDA1478C16EA6B541CA2F8E963C11ADD1982998C1B9E0E963C274FDF46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046001Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:43.494{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB5A81B039D0F23DC10492DBAF1CBF2,SHA256=7CBCFC27A72539D43DA6ED094CB0C76462745182D0618D7D194B50383232847A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027120Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:44.973{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E329C7DB86F553B89AE1A8610E75F1A,SHA256=E19F3E5A30982A50E802D441F6E3F08E9394DE05F9D7E0BFE2915DF141EEF08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046002Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:44.524{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEE9D6C5F8EFAE30639A3B6D20C47B0,SHA256=5CBFF6C2E6A0CD0EA775244DCB2128A65E30AA855C4A2DC26091764177169395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027122Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:45.973{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8882CD799FCE0604508D940FD0B368BF,SHA256=460B8656ACDE526E9A5B3EC6C15643EA759D481B1248BA11EF01470F36AD8C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046004Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:45.557{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F02800AC3E5A07BE3D6BF336148157,SHA256=5C9835CA45759D62564B69A3B5D0D4EA721FA75080B61B2B804678C584D4E2CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027121Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:43.994{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046003Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:42.685{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51769-false10.0.1.12-8000- 23542300x800000000000000046005Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:46.576{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85338CA0EA923DB69E4A4F346ABC400,SHA256=614A32C04B55ABF9A2874978978D6CF012DF32808D53A8AA488C40A9008C9D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046006Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:47.591{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8C6CE5FA94665655E398B5058C63AE,SHA256=CD5AF1EA76FB8370376E2B42650846759D2C411204BB2AAF18AE557310560A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027123Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:47.004{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE057D4E838F8125DE7B35723AA04EA,SHA256=2DD65577B15F0D5CF461DA49DCBD6F0FC709D7A486D0C20FE3946331940F5E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046007Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:48.606{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89552521EC1E73E171C8FEADA27581F1,SHA256=4CB2D28B3187159DBE9EE470CB96D9E163008DCD9E0705E375607FF01DB8AF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027124Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:48.019{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCA9FD98D7BA04F8CDEDB8077BDD770,SHA256=7AC5F6584D9770867033A3BE1182FF8DB5004F6D536A6677D511DC0706185A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046008Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:49.621{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B21D2E8932E76F15D1273DA3B2C100,SHA256=65ABE18B6464000AFD7C5E16F4F628AD50EEABB0DE6BC11FD3DC9F42E53C341B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027125Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:49.035{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC06B581FDF12B5C927A66744F6B43E,SHA256=66C496B09A0CB404DFF852151DDD25E0512DD8F971397B6F725DECAA13ED230C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046009Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:50.637{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD1DAE8C39F9A256089D82BE4A18169,SHA256=D256F2D7236F36FB7243991DB9CDF3E83289D7A35C04D965088644054D740A0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027127Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:49.040{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027126Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:50.066{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2907B7F8A3EB3DC32A2CAB1FBB307D74,SHA256=EEDD09794F41A67633CBDE470B36680B3D6D93409E3DBC52BE92133E21B898D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046011Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:51.655{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A467BEBCCD3DE03A52A563DC1E66273,SHA256=B3CEA222F42714301897ED8E3D2529644CDD35800A1E41D83D5003032ED486C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027129Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:51.660{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=14B333D455A2A326A8DFB794A83C9C00,SHA256=4C33A4E8244DAA2AF8310A7D0B23C3FC7DE7F2C3A29586B6CDC5C256ED6838B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027128Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:51.082{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C805DAD4E152ECF3EDFB97C06B7F6943,SHA256=C9044B9AED6A00738E901754981A959618D063DBA7C4154498E54249400D800B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046010Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:48.647{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51770-false10.0.1.12-8000- 23542300x800000000000000046012Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:52.673{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5EC864F7FA066B0E2501230469F6D7,SHA256=A1F9D7FF5EE69D45332B0BD9D32116A3B52EC6F7208845C646D2DCA4BAE04434,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027140Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:49:52.832{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000027139Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:49:52.832{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005f5015) 13241300x800000000000000027138Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:49:52.832{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31d-0xaf4c4d7e) 13241300x800000000000000027137Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:49:52.832{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a326-0x1110b57e) 13241300x800000000000000027136Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:49:52.832{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32e-0x72d51d7e) 13241300x800000000000000027135Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:49:52.832{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000027134Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:49:52.832{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005f5015) 13241300x800000000000000027133Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:49:52.832{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31d-0xaf4c4d7e) 13241300x800000000000000027132Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:49:52.832{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a326-0x1110b57e) 13241300x800000000000000027131Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:49:52.832{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32e-0x72d51d7e) 23542300x800000000000000027130Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:52.113{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81BF35CB76CB8A258547D9E380DB113,SHA256=CD376D8B817FC1029D7FA7C20C1EDC206F7FA5AE15EEBAB75BA89B0883FC5EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046013Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:53.704{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD964585BCBB4449C0C6D1E4416CBA3,SHA256=44C7AE6B1D74E74D7DCF9140EA6FE392E3C7C0950A62F4125BA579B791E653ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027141Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:53.144{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E10D692BBF436A16ECB861F735E383,SHA256=6D959C34056E8FB4F9BC686B2F05923C44563C8C87400A3A7E1EEEA7FDD8F53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046014Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:54.735{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19BDAC73778B934A03DFAE031E6089C,SHA256=FADDB935BD908062327E9F0270DA3516034B0375AA30C4B5C744A5930372210E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027142Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:54.160{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43022ED4F29D0BA8B6DC02C106D2888,SHA256=D112D4D95472A92045321527BFE410ED09E703A7C7CA162556D5B1B3BAF66E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046015Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:55.752{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F7FB235F06DB6B1979E7FDD8A6C16A,SHA256=5067CC0FBDB5F9523C1899C5F3CFCA6E31A10BADDAEBE1099C057CB99E461169,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027144Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:54.056{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027143Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:55.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9853824040B3100788566ACE07BE3D2,SHA256=BE12A74AD62A740224417A53FDC28C9DCD60B481BB1297E8597C1CD3B659E457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046017Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:56.771{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00543BE606CD5B719C529955E735AA8,SHA256=4D01D8A924ED02470B98BC4555049F6415AF9155AC386A8897C5980667E57C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027145Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:56.176{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFE803EEF8EC9E84CF87AD47EAD45FC,SHA256=9CA900B026246F24D7F1E3253CB5984060257A21FBDD9066AEF1E8CFDBBA0725,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046016Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:53.811{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51771-false10.0.1.12-8000- 23542300x800000000000000046018Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:57.785{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEABDEED3DD74D03E9CE0F28ADFFD7E0,SHA256=792F7FF5AD3BE7CEE48DE11C29BE7ACC3BBA91C5840358BA8B6928AC686F5D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027146Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:57.223{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0669EF098B7C01DAF2B8342EC3A5B49A,SHA256=EFCAA368C0FCFA1EDCEA90412DF710BADE68246F8A05BEDC9A8DE6B44C306A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046019Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:58.800{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F519DA685D59E5C3D57745EA6D952FB2,SHA256=DA91166CDD37FAE626848409838DC8346CC2B903AAD4D2BBD896E87D482DF125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027147Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:58.238{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9524298DAA06383A4F39BECC38339F4C,SHA256=F391FF89508AD9E58181EEB9FFD1E9C65FC4F416CAF806706BA737C17531C4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046020Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:59.815{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE22EFF0035D642511070CB91369690A,SHA256=3467DF835EF8DA9B0309DB67F3A286817FF5E019FFAF907D1C41810BB214B2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027148Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:59.243{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EECD6DA5B9D9D88B68B94948CE422F,SHA256=B58446B05B6A416CD07D7C238DB76E3D7548480927FF9D13F6E98AF17F4793C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046021Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:00.830{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33327DB92179078034F12F8E5902DB6,SHA256=67A6B440DA56B5D12D81D12968E87A8014E0BE28BCD38E7D39685764863CF01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027149Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:00.243{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919944DDC0C90460129BA4312DD5B9EC,SHA256=338E5B276255467603CDE1EC091BCC5C36E3DA4DB2CFB890FE5E0D377D116467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046023Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:01.848{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9526C40B49077F50DAD2A33BDA62BC55,SHA256=2A5F05B827D54E6407703D4C2FB1769180F5A0900B2ECD82BAD000F2FD5AAD22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027151Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:49:59.983{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027150Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:01.274{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50168DD8FB843808487FD2A28C967C7B,SHA256=2BF268EA2C236C0AD4617B6CC1D98D91C6041E6830E2CDFB40676344461121ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046022Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:49:59.791{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51772-false10.0.1.12-8000- 23542300x800000000000000046024Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:02.897{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5130CD243BF4F379D31ADC0AC611847B,SHA256=4E99AB51BDCE95FDCA186A851F03B66DFE993257F0345D8F668D9088E5040B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027152Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:02.274{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD335BBFE474F98C4E8A31C4E48257C,SHA256=FCDAF55D493B1E9A698F1965A19E7EA9D64E5B8081477A0F4AE0EC8651060F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027153Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:03.321{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02190060A91FFF3F2B3877823B1B15B8,SHA256=3533DBF11098EE339F6A6051154B2F8A5F3D6EAC15252F6426B91313CE39FDDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046061Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046060Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046059Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046058Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046057Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046056Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046055Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046054Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046053Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046052Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046051Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046050Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.746{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046049Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046048Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046047Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046046Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046045Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046044Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046043Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046042Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046041Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046040Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046039Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046038Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046037Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046036Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046035Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046034Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046033Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046032Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046031Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046030Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046029Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046028Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.745{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046027Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.744{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046026Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.744{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046025Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:03.744{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027167Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C8C-6136-9006-00000000F101}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027166Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027165Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027164Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027163Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027162Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027161Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027160Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027159Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027158Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027157Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1C8C-6136-9006-00000000F101}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027156Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.868{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C8C-6136-9006-00000000F101}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027155Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.869{FFF7FB96-1C8C-6136-9006-00000000F101}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027154Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:04.321{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB82AC292FA980CFD3C88FDF35B6E32,SHA256=CAC639253F41BF59D5B6BDE856B90A29A27AACC2E3CE574B0DCCE1E03FB4A0DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046070Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:04.549{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C8C-6136-1709-00000000F001}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046069Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:04.547{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046068Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:04.547{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046067Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:04.546{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046066Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:04.546{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046065Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:04.546{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1C8C-6136-1709-00000000F001}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046064Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:04.546{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C8C-6136-1709-00000000F001}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046063Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:04.544{323FE7D8-1C8C-6136-1709-00000000F001}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046062Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:04.146{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E0152983100AFFE82E7B8191CE1F0C,SHA256=D5387BD0550A43CD7427A042BF5E62BF81DF32FEDC478F6F1B60D133909F99D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027185Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.915{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027184Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.899{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CFB541BFE4056CDB1544819B3B4BE93,SHA256=76C7B5288FE47DFA608EB71BC3E7A17A9DF4BF2BB9A1F6227BD1F4E17662FC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027183Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.899{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FE7DF437CA1173769855CE23AA00C6F,SHA256=21F36CBD83381F9C6A2763254EA97C54903A5F68432C9B19DBD4EEF7763EC72D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027182Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C8D-6136-9106-00000000F101}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027181Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027180Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027179Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027178Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027177Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027176Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027175Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027174Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027173Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027172Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1C8D-6136-9106-00000000F101}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027171Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.462{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C8D-6136-9106-00000000F101}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027170Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.463{FFF7FB96-1C8D-6136-9106-00000000F101}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027169Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.337{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D2934F51600A91FD445DC7ACE6D18C,SHA256=4ADE9225FFC15F12CBD688BD4B5536D5FE53F138992C3FB44BA74597A65330A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046089Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.882{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C8D-6136-1909-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046088Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.882{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046087Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.882{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046086Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.882{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046085Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.882{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046084Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.882{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1C8D-6136-1909-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046083Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.882{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C8D-6136-1909-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046082Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.883{323FE7D8-1C8D-6136-1909-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046081Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.567{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E3888832D87D79EEDAE9D81834F216,SHA256=F56B401148B627583F8E0C7FB4A308FDEF97448BEFC4B61F0DCC02ECE0D2956A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046080Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.567{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCA36D706358E738971D07892FA7D838,SHA256=B385A2D57215D41984D235A1705071B1DE6A1728C2F260C38B16C97191F3F5BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046079Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.212{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C8D-6136-1809-00000000F001}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046078Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.212{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046077Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.212{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046076Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.212{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046075Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.212{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046074Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.212{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1C8D-6136-1809-00000000F001}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046073Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.212{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C8D-6136-1809-00000000F001}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046072Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.213{323FE7D8-1C8D-6136-1809-00000000F001}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046071Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.165{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877C67F38B3AC5DE6154D4C6AF108328,SHA256=ACB51E0D7F347C0D835AD50123E0DF7DA5E8B2B8C257E6E0B94A245E64549CD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027168Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.055{FFF7FB96-1C8C-6136-9006-00000000F101}921488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027199Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.446{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7CF90AC6B9D99D841CFC3F341A6871,SHA256=4AD791EC90004D0A239D0074FD18B0D30AF276DDC60FE9D9A989B131BE496511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046092Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:06.694{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E3888832D87D79EEDAE9D81834F216,SHA256=F56B401148B627583F8E0C7FB4A308FDEF97448BEFC4B61F0DCC02ECE0D2956A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046091Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:06.263{323FE7D8-1C8D-6136-1909-00000000F001}67083760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046090Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:06.178{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF61B6D9203234951D834A32D2A08C2,SHA256=353E8EA565A4A03F480E146D36FB04790E5EB09058CC2C538C2F8A89BC7D1B28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027198Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C8E-6136-9206-00000000F101}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027197Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027196Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027195Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027194Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027193Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027192Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027191Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027190Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027189Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027188Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1C8E-6136-9206-00000000F101}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027187Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C8E-6136-9206-00000000F101}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027186Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:06.087{FFF7FB96-1C8E-6136-9206-00000000F101}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027230Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C8F-6136-9406-00000000F101}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027229Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027228Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027227Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027226Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027225Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027224Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027223Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027222Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027221Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027220Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1C8F-6136-9406-00000000F101}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027219Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.946{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C8F-6136-9406-00000000F101}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027218Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.947{FFF7FB96-1C8F-6136-9406-00000000F101}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027217Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.462{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CA76079C86957110A7992608FF87CC,SHA256=BE66EE2E11C70FE8ED27A4F80B180455EB8A078FE50CFB3039B3A66C2C69BD98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046104Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:07.973{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C8F-6136-1A09-00000000F001}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046103Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:07.973{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046102Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:07.973{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046101Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:07.973{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046100Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:07.973{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046099Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:07.973{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1C8F-6136-1A09-00000000F001}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046098Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:07.973{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C8F-6136-1A09-00000000F001}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046097Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:07.974{323FE7D8-1C8F-6136-1A09-00000000F001}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046096Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.636{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51774-false10.0.1.12-8000- 354300x800000000000000046095Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.274{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51773-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000046094Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:05.274{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51773-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000046093Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:07.211{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3381B14AC8C1E2D4F2FE7E6152E29210,SHA256=0A0EF8950CB223C2A9DE17464236EC044E52039F9F168F5F3F03C13303007B5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027216Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.399{FFF7FB96-1C8F-6136-9306-00000000F101}4963948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027215Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C8F-6136-9306-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027214Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027213Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027212Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027211Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027210Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027209Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027208Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027207Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027206Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027205Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1C8F-6136-9306-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027204Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.274{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C8F-6136-9306-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027203Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.275{FFF7FB96-1C8F-6136-9306-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027202Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51007-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000027201Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:05.076{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51006-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027200Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:07.102{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CFB541BFE4056CDB1544819B3B4BE93,SHA256=76C7B5288FE47DFA608EB71BC3E7A17A9DF4BF2BB9A1F6227BD1F4E17662FC3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027246Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C90-6136-9506-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027245Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027244Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027243Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027242Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027241Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027240Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027239Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027238Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027237Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027236Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1C90-6136-9506-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027235Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.618{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C90-6136-9506-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027234Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.619{FFF7FB96-1C90-6136-9506-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027233Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.493{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11EC76668716848AF0584CF141260CC,SHA256=E37912C4AD6E13D8E0F6AF089663DA80FD09CAAB7CA431396F2B5FC4440D32CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046116Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.974{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C14F7983AF6CC403DD8E1EFC8606144D,SHA256=6057930F1EF4EADED092B56D28E3BC8E5749E0C5ED588FB51B71903D2F6BAC42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046115Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.758{323FE7D8-1C90-6136-1B09-00000000F001}52963996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046114Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.542{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C90-6136-1B09-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046113Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.542{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046112Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.542{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046111Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.542{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1C90-6136-1B09-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046110Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.542{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046109Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.542{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046108Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.542{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C90-6136-1B09-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046107Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.544{323FE7D8-1C90-6136-1B09-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046106Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.273{323FE7D8-1C8F-6136-1A09-00000000F001}62966560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046105Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:08.211{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3963071B045712B940DD028189561898,SHA256=8CF263AF8E93C58F33FB5A8BB33220416B47E7BBF6E49AC205ECC46971798DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027232Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.290{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ECA239FF1123581116E06DD98AC4188,SHA256=F8A7AC86E186841524C25D5A58225C0FDA2B528DF16A126D0511E7378B41789A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027231Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:08.118{FFF7FB96-1C8F-6136-9406-00000000F101}3536796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027262Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.868{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48627F916B4854263FE0AB62B0813A03,SHA256=013DF071A3585D5AD6EABA5633FD20AEAB863427CB3C21ADE895495D7ADD131C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027261Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.868{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E053161280DDF9FA620A00ABB69C932C,SHA256=C7D13ABEA57E438A3576166A467DFA6CEA7C1260ECEAE7823DCEB44311E2D509,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046134Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.873{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C91-6136-1D09-00000000F001}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046133Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.873{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046132Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.873{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046131Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.873{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046130Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.873{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046129Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.873{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1C91-6136-1D09-00000000F001}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046128Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.873{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C91-6136-1D09-00000000F001}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046127Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.874{323FE7D8-1C91-6136-1D09-00000000F001}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046126Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.358{323FE7D8-1C91-6136-1C09-00000000F001}63444876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046125Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.227{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B058B601B459E437617E4D75DBC673D,SHA256=ACFBECC67C0DEFFE50D3B3793C61F1FE258D8ABB104AC2AB07E3A5D8AA609364,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027260Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.446{FFF7FB96-1C91-6136-9606-00000000F101}29123980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027259Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1C91-6136-9606-00000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027258Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027257Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027256Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027255Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027254Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027253Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027252Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027251Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1C91-6136-9606-00000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027250Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027249Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027248Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1C91-6136-9606-00000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027247Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:09.290{FFF7FB96-1C91-6136-9606-00000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046124Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.194{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1C91-6136-1C09-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046123Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.192{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046122Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.192{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046121Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.192{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046120Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.192{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046119Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.191{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1C91-6136-1C09-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046118Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.191{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1C91-6136-1C09-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046117Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:09.190{323FE7D8-1C91-6136-1C09-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027263Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:10.868{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85C9F24AAAD8827D5EA7A9B0A79E5AE,SHA256=B0BD41C17CA1E7625B35E27499CD9CA4D85C32845D348E935C916CA084758B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046136Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:10.241{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB640B688C5F6918D20E6D7051BC162,SHA256=63DF8A64E66120F2BB4C0F22FB822D6DF55EF14FB50F0D1514CB397B5C6CAA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046135Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:10.210{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F161A76D75D2337CE5DFAA9DA3B34B7A,SHA256=64056D24DD924C258D45B295797354852CC8677082F2A831468C96DC75C21D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027264Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:11.930{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F47B125877A6DCF7606FBA3E1DBB59,SHA256=7BA942B1A3F0B7D41FBBCBE20E62A2CB3FDE4DC9E15BC04BFE8706D17045AB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046137Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:11.272{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641FE8669D3ED0C9C87EE975740CA8FC,SHA256=26B233DBA1F3456A674B29B67B50A93791501B0CFB35CEB17470DD06238C9929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027266Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:12.946{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93DECDA6EAC49C32C90CD12C72A8DB7,SHA256=1C5DF8E09F490680F213E0399237C7C0ECAC73EF7BE65BE8E7AACE21D9DBB58E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046139Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:10.832{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51775-false10.0.1.12-8000- 23542300x800000000000000046138Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:12.309{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE6FF370E4F726639778B1ADA03FD72,SHA256=FB4F5433C7C6341BD7CCF2E40461A3672B58D394EFA86A833649BC5158E6DB46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027265Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:10.858{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51008-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027267Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:13.946{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847FBFAD2B7ACA067262FC60202C5FAC,SHA256=B1202D7640AF0DE6192450DBF5BF5D53A823852D8CC015C10501F3263829E478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046140Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:13.339{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E57D0A291FF4876B2CE87EF48ED390,SHA256=1114FFEC8D64130777185933872BC9B050159B9E8D9A85F0A691BF4B531F1BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027268Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:14.962{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEED0BC4AF9B29DB7D01AAE710EFEFC,SHA256=9C5C55789C265B4D48047478AAC2A381BE3BA1D49D72D913DA81B27F67232068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046141Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:14.354{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB139CBD6C118AA054242E599C64B8BB,SHA256=55FF7998DD5E15FCB3EC2CB321AC49FF9D39EFE68E02D738317C5575CB18DF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027269Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:15.962{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADD90F3A1B70988B8452C43ACC69058,SHA256=982A507ECADDFF9469A368BC22578530E670F922DF8E2F6F6DB0C980A498692F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046142Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:15.369{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674C793EC8E9DC57169987343FFF686E,SHA256=6FEFB242053E54CA93D237804FF70B6E3C0F3547FF92F35B06FD07E7AA570215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027270Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:16.977{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773ABAF8DFD93C8D90B3619194494A57,SHA256=FFBB79C30EDF3D4A1CEE619AB77030179DF8ECFDD8FEF2FD5A9CE1439FC09192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046143Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:16.390{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF2AA1C098A5D9E329EA01376905BE8,SHA256=B85A76B9A67977EBA35D5809FF5D00E1CA6AAE364D48F902ACAB96D8D110F804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027272Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:17.993{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1A092E447351F4FB8149AD140736A5,SHA256=56C4E458B6622D396C19ACF3AE691AE4E282A4A705E29DD711350542A8287F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046144Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:17.405{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A723AE76F8C3197DE3BAB4D0F630F62D,SHA256=1E5F79766F4C747866E801096B969DE5C55BAD6EBB98C5ED0DB011631C2384F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027271Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:15.920{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51009-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027273Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:18.993{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6D993D2FCA69F582551C83A41FF5CB,SHA256=C48E85915331A62BD8E53DE2897019B35394D94F4C94A470182F4888154AC637,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046146Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:16.796{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51776-false10.0.1.12-8000- 23542300x800000000000000046145Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:18.420{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FC1EB745BBD4D6F0383ABC4DFF6C10,SHA256=5F4756988D8EDD8188F73A5BDC7A0DBC85DC3DD4D58115FF5A7C0C1F8A6C09BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046147Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:19.435{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE3AB42B80944286159CA2269F46B16,SHA256=D4AB311E4534EE347DB6019D5A85C0EA8E2CE512A32002A1210D1DB8BD525E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046148Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:20.438{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADC934C45040C91B25C9DF11A2C8F4C,SHA256=0E6DAF7D3254569F00D6146E106937F6D6F58B56FA45D6DC8414F67D96EFBDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027274Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:20.022{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C8B66A2F90C8F02E304E46DBAAB9C7,SHA256=845EDB5551DA8CCE51BF75918728C573BB6436D685AB5240AA01BD924AEBF93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046149Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:21.468{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF2A73ACA3B6360893E280065F65C3E,SHA256=8251707D29E30F80DE8DBAB88306C6C8ACDE053096D04BE626A74B6754DDB875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027275Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:21.038{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB2F539CD833BCAA0A1F7F7CDC4B96D,SHA256=64DBFDBC0F0F9B32CDAB8165C3FAC4FA9B4CE0ACEA1BB67B010653F981286CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046150Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:22.505{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5588C9FE049076F8B39B81AF661F16,SHA256=B2FD02D07DDB32B8E9A5E286254BF4BD8CE626BF99E607741FBC29A12841D0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027276Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:22.054{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B80EA48829F6B885B38281D04BEA01A,SHA256=409377A22BDBA479F2619C1CA9D49BD91F6E2E41C9CA98B5EBD21067BFC7CF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046151Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:23.520{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64615BDD9D943E3DFDD0592CD03C0B44,SHA256=79FFA7C32CEC7241045F867E09BA85C6278CADBF276014D7751D73BE96056794,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027278Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:21.918{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51010-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027277Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:23.054{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F1C1D2083CAB54F625BC8BE2F124C4,SHA256=7041984D2E35255186AEC2F73F694FA5E8CEED1655457E6B4F0D8A127CA30EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046152Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:24.535{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F631E32CEECCD9CE56280368045A23,SHA256=5E54B88B240760D714B32283EB7C3D17F6B7866EF38894405E84D5252271DD87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027279Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:24.069{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376354AF1985F2FA98404A3C7291395E,SHA256=1FFE6C1EB562782353B973413F710DC6B3E637FEC2CD9DF7F33E9A90CF045393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046154Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:25.550{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C760536046DA1813D90FE13185190200,SHA256=CC7816208245CDC77969FB459D228DABC84C4F60C857E7A1236873CCA0822BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027280Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:25.100{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF999587433A7F62CED2F4BCEF70EEBA,SHA256=6A8413B9EBDDA6438F273A9F5A4A59EC6275100F4102C8C67C29FA48F37ACDE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046153Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:22.774{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51777-false10.0.1.12-8000- 23542300x800000000000000046155Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:26.565{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BF429E4381071BDF42152672A34F8D,SHA256=EB3B87C7B100C699911B274792F3B430A45F83C5ACAC6D4EA4040011F9492C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027281Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:26.132{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DA652026792683358535544C28E5D4,SHA256=E4A8F0C6478347E70C2BAB7AC401BF867E9CEADE27B10E022638C33E6CD3378A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046156Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:27.583{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C9F04A416B0F7FE6AED8C62C575915,SHA256=2CB5112F7AEA6775E6A56A7ED434601F89F4299D856BFAACC695A638FC4B7CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027282Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:27.147{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D600A08BEAF05A10B370C684A954ADA4,SHA256=9F6312BCA9337A0ECD23647048AA67B74BB98B9E22B6727667DDC51ABE169DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046157Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:28.601{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B86AE5C5A64394F87F57E25825DC02,SHA256=C40CD69291C121E8C4789C3100EE5EE0ED09B46A67D4BA81BDDD42B8F8E0F47F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027284Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:26.919{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027283Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:28.147{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B92F289ED303AE69C0C66559DC0BC2B,SHA256=E287ACC0F0D0F9554CF46CF5C2BC038BA6E4C077033B2B8A116A2CD4E0183165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046158Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:29.617{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140A0B13225AACE556AB390FD297063D,SHA256=EE111A406EF5F8833D8FC7DFC785CDE87C84F8F302EC035DCA48B3F303BB4294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027286Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:29.293{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-101MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027285Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:29.182{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1027978FF54BD21490640F11CDF1B18,SHA256=C84AC3F1ED013C74693AEC587C009F2509E7512FA68332DA73DFDFD9365206FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046160Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:30.632{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD4435EA8AE353043651E58AAFC8ED9,SHA256=141929A05265D2396530964A956FCF545253067B4011EBB4C7FDD03AEB0EC2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027288Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:30.308{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027287Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:30.197{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEBF438F063B90CB2EA264CDFF5F5B5,SHA256=681B67D44F856AECD821D82FE8B1B51CFE8E28B2A5EA934E37EE1E7BFEE57516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046159Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:30.447{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046162Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:31.646{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C9DC6EB083AC41947ED18D25FC2498,SHA256=5DDFBDE0C889F98245F10247E64E2A4A187F3BE713017B17DD197D4257FD7688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027289Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:31.198{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3463BA1355C3F625209E99264528F4,SHA256=739DA1DDB63663F1139A7E8F47C175EBA9763688B3695784DA40A0962FF9BC3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046161Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:28.670{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51778-false10.0.1.12-8000- 23542300x800000000000000046164Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:32.661{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB27597036F3F34494A61CDCA6AAF2A,SHA256=A270EA8CF32FF90EA7A00CEA35B8C9077915BC0D62A5249ED613AE85BE42D7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027290Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:32.230{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5D994846EC0D19C8B1B1CD61F093CD,SHA256=37C49D868C7EC18EBBC01E71900C17CF88710AF642BD441EC316057588A03305,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046163Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:30.023{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51779-false10.0.1.12-8089- 23542300x800000000000000046165Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:33.678{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF435027F5B45D03896B0B8BC33D25BF,SHA256=FF99D4B7FB56CAD63221A6DB3964A32D68B5E98CAA0585ACEA75024E8AE7660C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027292Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:32.016{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51012-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027291Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:33.230{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C409D893FCB84973F14E3A144690CB,SHA256=1665BE9022AA900AD0EEC1387DF18376263041A413BA1CEB30671115B94939C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046176Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:34.697{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDA5BDD78189FEF32D21AFF939609B8,SHA256=536E65605F92BECBFB7A107767BB90DFB3B80269E771E53E833BA5FC3ACA8DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027293Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:34.245{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6603D2916329A0BC1C30A83F053E87AE,SHA256=0E236104F25030291F96EC85A3AF592E03F8DA9040C2C44963B0D7C401DE682F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046175Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:50:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046174Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:50:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067874b) 13241300x800000000000000046173Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:50:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31d-0xc7f94986) 13241300x800000000000000046172Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:50:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a326-0x29bdb186) 13241300x800000000000000046171Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:50:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32e-0x8b821986) 13241300x800000000000000046170Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:50:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046169Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:50:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067874b) 13241300x800000000000000046168Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:50:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31d-0xc7f94986) 13241300x800000000000000046167Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:50:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a326-0x29bdb186) 13241300x800000000000000046166Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:50:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32e-0x8b821986) 23542300x800000000000000046177Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:35.728{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E97B74C0048DB161DDD52ACDA5B73D6,SHA256=52616F0C966389D4DD2E662209025A24A4494220EEDC2668ED4216B1180C07E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027294Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:35.261{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E7596A2D22F7BD4536225702257609,SHA256=F2C21B5AF2B82DFA49B540DA9B2B57FB60069D176F4BA85F1851B04217188848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046180Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:36.744{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3C54FFFD21DA251D6D621FF7A4EFE,SHA256=4F3E507D0E395BBB5000421CCA2AE50B3780369D4F0B499864B6286918228C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027295Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:36.276{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA93AAD0F9FEB1A550781A8F43BCBEA,SHA256=9AFD6898D2933A4ABE9270396F3CACEC48CFDF921BB92B4E6042F21B85BA84B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046179Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:36.312{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1E5E0DB2DB9C27BB5563D30F11BC7D98,SHA256=7993945B8CE5CA196DA2EF3AEE06FD5C68DBEEE07E452B1EFDA12D4F3B1E2382,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046178Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:33.689{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51780-false10.0.1.12-8000- 23542300x800000000000000046181Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:37.776{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE61532E9DF5EC881EDAE4FA31CD1E60,SHA256=D10D290BE7314C4AA1003D3D03D2175FE785785A4F3EA2943D885BC085F60347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027296Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:37.276{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC4CDC0F504A4905DAF929950E73B03,SHA256=CC1C4A3DA41B8E15A83A7B5D2FF2C2E4A57E42D2FA96DEC8463BCB8EBA6F1808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046182Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:38.795{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA31BBD3AEA47F9E566B4F67F0DD27A8,SHA256=60B903E7ADF1BF0BD17AEE38A833ED2D97D2F4F74467C19A4101633B6BC6A5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027297Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:38.292{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CD0610EF7D8FAF142443EC2F852162,SHA256=AA9D944CCF169F686FA01E22DF94D87892D405E2B5CA11401B2DB3C5FB902CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046184Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:39.811{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667650569B2000216A3FABD63982168C,SHA256=643A3B92995A2382E0EE469270EE0F9FF2E140B517590239589502CDB3FD4EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027299Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:39.304{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D967796457746954EC44B44DA64DF0,SHA256=E39FB1DFD5E5B567B9CCBA77E73E7591E7675E974C6286647585E66007D36F08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046183Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:39.095{323FE7D8-022C-6136-0B00-00000000F001}6242748C:\Windows\system32\lsass.exe{323FE7D8-022A-6136-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000027298Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:37.048{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51013-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046192Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:40.826{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E905CBD3BE8BFABA43BAEE00DD267447,SHA256=EE60D2D2EC539639282E666351CEC7EA9A3AF6EA013CFF0A0961272BA5BF8C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027300Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:40.304{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48336AFDE6A16DB927A33FCC9EC8F81,SHA256=84FD66CAEDD0D348C62B2E322E2BCD484828D58F7A1DFA3B471F070A55EE311E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046191Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:38.690{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51783-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000046190Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:38.600{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-456.attackrange.local51782-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000046189Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:38.600{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51782-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000046188Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:38.590{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51781-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000046187Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:38.590{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51781-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 23542300x800000000000000046186Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:40.010{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FAD1D34BAAFED5E2EBDF420C0E88052,SHA256=70AF7E0917A2088CBC8B85CC7863729BC30EE2B6F6586C3472055A618066A229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046185Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:40.010{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3B2748CD2AC747FBF11CAF371160D5F,SHA256=797E5808228C057CE2A762160AB73FD75DCC541A0643109AAF431FB9902117AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046196Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:41.826{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABBDABF889E45B6261E1115FE2F94A2,SHA256=18A8286A2D6AC7011E21E23D4BB051E1A706773B7E38D560432BEB03F4A69DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027301Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:41.336{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971BA52F11E7C737CC48E680250234A7,SHA256=24B074036EB67637B61E34085C542639D79F46125A0F8B86B3676F759E4DCA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046195Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:38.749{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51784-false10.0.1.12-8000- 354300x800000000000000046194Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:38.690{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51783-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 23542300x800000000000000046193Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:41.028{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-109MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046198Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:42.842{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B37A6FCD6F7BEE7671165B50249181,SHA256=AE366B8E0A2869C0E29D89A43F1AABC6142F8521A1FD72552218E2C4558708F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027302Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:42.414{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52F8856DCF3C4AA36EB4636E2084466,SHA256=66539DCE85149DC973E381671A9EB7F22B333A48E2904FF21FCB15F129812D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046197Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:42.028{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046199Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:43.857{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFA38EAD483B3559AF5E52A5DBEF761,SHA256=03AD7C3D0CDB6141E0960D5DAA09BCF8A647670C0DE2C89062074341AD7096FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027303Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:43.429{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5BABE9B646E74267E6F52C1233A2A5,SHA256=E7BC80D3B887CD6510B7C25610AA9549BCBDE703C49497E5EB852C8B7EAB50A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046200Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:44.878{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22295860800C21BB39AAC4AF46FA483F,SHA256=7B8B58943C414D6CC6AEC141CB70138C14F2D5BE513CD40B8B02D8FEF9B346C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027304Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:44.429{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6D4D9609F8B77769549B50786B97E6,SHA256=A258AE33E4294C060FDACE583B82800FDCD8F7BDE5D5CCFE70055869DADA5D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046201Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:45.895{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE58F2CE1CFA3C27A55C6729BB731B3,SHA256=07B537E83ADD44F1593AF4CD4471CBCA30D1BD34C54844F4C51F5E3A9E7B5082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027306Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:45.445{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5C60025100E215A00F3C409B8F73B6,SHA256=896FCFDADB3A89658D402EF0A84D3B81D65F9E0C9281832C7638562C0F540BCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027305Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:42.998{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51014-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046203Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:46.925{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF575F0A30F60069F4AB5454EC35C16,SHA256=45D92D372EE73EB0AFC4B703DAC3123DB9E54A6C57870720217B44079726936B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027307Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:46.492{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04DF7DE03BFA80627248A00158D56C8,SHA256=CCFE58F6872A08599D8A1591C6C6B87829FAD77739CD9CD8F0BAEB639CDF077C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046202Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:44.648{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51785-false10.0.1.12-8000- 23542300x800000000000000046204Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:47.956{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1548365F72D72833AE55576E1CD21518,SHA256=883F9F7784141EB236392AC5B83CA1D72DC4B28096300EC763AC3402B904E925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027308Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:47.523{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3229978413062C5C4CFB899D291F8609,SHA256=42FFE652A271B8BE80FDD2F94F050E67D3C243F64EC5FC51745F3674EC535182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046205Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:48.973{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1145DD5E07058426B2D7F57FCAFE89B4,SHA256=99B18D36C82C62D8879FFA365A6D286A895D7EA7F63A7E9F05D6D40BFBF699A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027309Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:48.523{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA80D7655C7920150E27D02B399A981,SHA256=7F410C20689B0DC737E7CC94B7E211788BEA0453D7F9D7A651218A4A33C8AB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027310Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:49.523{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10138479449CD70A4FDDD3D6E6FD8F9,SHA256=110C994386A327B037C87D97F09E9301C841BF66FC8D1007A3CB8B4C9DAB8690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027311Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:50.554{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC30CADA1D422D625533747DE4E33DF,SHA256=FB18F2C6132FB5D62D2C0B791A9A35E49200E5A0BC4CE4B0E70A4DA9387847BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046208Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:50.827{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B856BF2ABC876B657F58FFF22634D40B,SHA256=F28948CF68609DD8B054349693F0057D5575ED36A78D7DDFB23637B6BD93DB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046207Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:50.827{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FAD1D34BAAFED5E2EBDF420C0E88052,SHA256=70AF7E0917A2088CBC8B85CC7863729BC30EE2B6F6586C3472055A618066A229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046206Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:50.007{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8501532C4BFE73FEB3130463FB9A76AE,SHA256=4890D5FEB89CC25307FF3A9BD53CF3D2AE46A0084CC544655686EC0A63FAF11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027315Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:51.664{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5C5434F922FD0250FBBC023C44244210,SHA256=A7E4A31CA3C5B61C9F7741B07C551383FAC6CE1F28A0698FFC0B995A331B7D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027314Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:51.586{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBF7167E594BC123897C57D9AE02938,SHA256=F6104ACFF07B92D42B4EEC5B2C0821EEE3826F3C560ADC0DB8185A787A94CC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046209Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:51.011{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913667AE2D138ECF3C46611964FDF133,SHA256=9DD387D5063E420FA0FD92297CB436F0CD5AF703D701B0AF4055346FA62B049D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027313Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:51.476{FFF7FB96-041D-6136-0B00-00000000F101}6283160C:\Windows\system32\lsass.exe{FFF7FB96-041B-6136-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000027312Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:48.920{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51015-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027316Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:52.601{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9426A19207D6A5FE7309D719555762,SHA256=8A13920A32BD317EED7E8235288834F6E84C33F29BAB440EE9B02F4BCA9E6564,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046212Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:50.618{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51786-false10.0.1.12-8000- 23542300x800000000000000046211Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:52.526{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B856BF2ABC876B657F58FFF22634D40B,SHA256=F28948CF68609DD8B054349693F0057D5575ED36A78D7DDFB23637B6BD93DB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046210Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:52.026{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EC8FC9B277CC654E1006CE89AF01E6,SHA256=218DA61C64D4A4FDA7E907B25190CC22C0A4A0BE45C62AA7A8503DEBD19D57B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027318Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:53.622{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BDA7C82F6D5F922C88F104950B003C,SHA256=7E6D77F990264AE13250AC8D21D829C632FA103E7F44F540F3047B65DB753F56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046214Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:51.104{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51016-false10.0.1.14win-dc-456.attackrange.local445microsoft-ds 23542300x800000000000000046213Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:53.041{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FE5D941692820C1827BDE460C89C59,SHA256=F5C4B62F6AD4AF366051C9023BB0C08E47BCF82C3728ADDDA2561CE22029A70F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027317Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:51.328{FFF7FB96-041B-6136-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51016-false10.0.1.14-445microsoft-ds 23542300x800000000000000027319Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:54.632{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8757813FA589FD168AD6359777A45DFA,SHA256=C17C2B4CC6B3D99D644E74A8D535C619C3AC6982382423D517DE2BF9B47F36AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046215Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:54.056{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC79779D61AF9A70F0619D7A7A8A062,SHA256=D3A80ABC8606E7770798A357718012408510CBFE0662E10182424B2BA14DD083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027320Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:55.649{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FAD388C5670A9CCF90B1553A574851,SHA256=0010C107E0CA800A866E176468E1D3AF10D0668D8141CC01A28ABD311B4AEF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046216Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:55.073{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4538A1DF651C24136EEA656B9DF50352,SHA256=301E329D209DA3352E9C2472B6F9058AC4DA20F6A8F600B01C2AC4E56887AADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027322Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:56.649{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2131410BDFDB3CED8AED5EC7F7939296,SHA256=355FBB6305E8C88BFE4A53F8D2C2D4D7B3E16CE73E43A2E95ED799CB265C012A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046217Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:56.092{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B860F235DB9D9623B8233372DEEB76EC,SHA256=931629A2B622A1C922C37CD29A9F9B40C2D4DC2AB902CE476A1D1920C1312CA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027321Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:54.091{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51017-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027323Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:57.649{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7DEE0103F588AE96D7AD0DD82FC045,SHA256=7213E712BD1D5DFEBD22CB3FF3256E677A99F5D17CFFE1837634EBE9B0E36E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046218Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:57.107{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6720A3C12525E9CE5F155B5BA4DDE656,SHA256=7F471FE422F497E85F6CB20CE01BCF01EBB6EFDA7851FCB3BED4CCCB42FA1A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027324Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:58.681{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2AE0636413AC3E2F91BBA3014A4FFE,SHA256=627E3A507AEDEB6480D970D952C87A5CA83801ACDB3FCB8E3602553265B8D5B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046220Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:56.661{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51787-false10.0.1.12-8000- 23542300x800000000000000046219Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:58.121{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC286DEC22AD9F5C4325B02F50C088F,SHA256=88F6545715B43C6527F9B3DC2DEF5A1A8180EC6181C037BD8ECB24A463830CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027325Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:50:59.684{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3157288B8C64B77882D859920CB5A577,SHA256=46579318473964486AFB202ACB5AB221DB9EF5F23C8ED49CFF5389A6B67A5F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046221Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:50:59.136{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CAB4FDA650BD8BBBFCB763375B93462,SHA256=EBEFA5CA71781E355993F6B5A27B12FB12CDF48C90696331362E2297DDFCB981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027326Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:00.699{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECE4FDA0746B7A52A0DD8E23EF55A98,SHA256=266C74B08FFF6F88D603C1AD5B92C22F656DE1732AAEA9BDFC06464BB2B64BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046222Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:00.151{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7BCBC675632E61CA69676142924487,SHA256=2345E0B89E7744384DCDE3C8615B1F912EEDC6B8B69CC002EC0A64D38207D887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027327Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:01.715{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69BFF5FC87A4DBE16405A45DE3897C0,SHA256=EE2D4B31FD9F10B49062BE26EF7BC08C9EEFAFB58EB8BC784803CEEF8A49514F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046223Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:01.172{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EA7B48E949EF954FA4D76DD7B8A6FD,SHA256=DF09A304EB9BE2E265AD14A328B2779F672170332AF2D5F1B2DCD0A1A180ABF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027329Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:02.715{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F9A4B8495240637D7089D0A5CECE36,SHA256=E9D12006938AA45CBEED8F9ECBF9F12EFC03E41EB297596377E21F55CF952466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046224Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:02.187{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81DFC18C2D26C7409DB69D130E5C734,SHA256=271022F9BBE494A88D18643B17FEA6099059B308D75520829D13920726C16974,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027328Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:00.080{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027330Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:03.746{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EAA5A633F848638E7F8CE652E20C0F,SHA256=483B53DB779BF26B176D5473B7541CCBCBC7E39792A7CDB253EBA2CCCA6D40A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046227Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:03.549{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0DEACEC092BACBFEE135F2AE2F78F2F,SHA256=5D7338E9270AAAF54CC9CEAEBAE85B4A9CE8DF7CEE379FC26DA9EDA9445B0EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046226Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:03.549{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC467E1AC3F1032E551CCBD3635382C5,SHA256=2FCC0299B8B7F6755BB9DA0205D5B735FE7DDD5D144BE955046329CAB278883D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046225Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:03.202{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF99146B5F91938F61143B53A1D44A8,SHA256=E27A2EB357EB1B8341F9FD42C74C94D80E6D9F0BEA5C494C53E7DBF5231A335A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027344Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1CC8-6136-9706-00000000F101}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027343Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027342Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027341Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027340Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027339Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027338Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027337Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027336Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027335Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027334Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1CC8-6136-9706-00000000F101}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027333Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.855{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1CC8-6136-9706-00000000F101}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027332Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.856{FFF7FB96-1CC8-6136-9706-00000000F101}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027331Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:04.762{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFEA23A970C643FD9CC43B80D3D7B6A,SHA256=DFCC690B427D20857477AD6025EB74D5CCC01B6D4E862DA6CC74FA3CA79F65F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046237Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:02.657{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51788-false10.0.1.12-8000- 10341000x800000000000000046236Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:04.570{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1CC8-6136-1E09-00000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046235Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:04.567{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046234Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:04.567{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046233Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:04.566{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046232Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:04.566{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046231Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:04.566{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1CC8-6136-1E09-00000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046230Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:04.566{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1CC8-6136-1E09-00000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046229Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:04.565{323FE7D8-1CC8-6136-1E09-00000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046228Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:04.248{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC15D614B0C36670F946D2D7187149B,SHA256=4999910E6BF3335AD53572F867A777D9A492DE89F6CEB9B2B049E7E6B7E92A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027361Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.934{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027360Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.871{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3BB36055686FA036C4B244F07A566DF,SHA256=68AE7CEF2C6E753A58437849404F7056792AFBF55B0C0DB8D739BF5D5B019268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027359Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.871{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40C463DE9AF061D120F27700366EDB31,SHA256=EBAB65AEF7AF6DC94CF93A8B911BBD19B7C2C03AE79B1CA52110AE7888046BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027358Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.871{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FF9605B42CD14FFADF8234BFE6C825,SHA256=9E4AD44C38E33547585A1A3FEFA9DD3E3D4741E76099D21CF64323A5140EBEFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046256Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.903{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1CC9-6136-2009-00000000F001}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046255Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.903{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046254Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.903{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046253Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.903{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046252Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.903{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046251Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.903{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1CC9-6136-2009-00000000F001}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046250Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.903{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1CC9-6136-2009-00000000F001}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046249Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.904{323FE7D8-1CC9-6136-2009-00000000F001}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046248Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.585{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0DEACEC092BACBFEE135F2AE2F78F2F,SHA256=5D7338E9270AAAF54CC9CEAEBAE85B4A9CE8DF7CEE379FC26DA9EDA9445B0EB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046247Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.435{323FE7D8-1CC9-6136-1F09-00000000F001}2940944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046246Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.250{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C197302E0219788B99A9B23E22CA126,SHA256=568C458FB92C8DDAD15350EBB4DDE21937A95FC43994DDADD5EDBB9037DA438D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027357Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1CC9-6136-9806-00000000F101}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027356Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027355Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027354Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027353Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027352Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027351Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027350Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027349Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027348Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027347Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1CC9-6136-9806-00000000F101}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027346Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.527{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1CC9-6136-9806-00000000F101}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027345Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.528{FFF7FB96-1CC9-6136-9806-00000000F101}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046245Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.234{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1CC9-6136-1F09-00000000F001}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046244Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.234{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046243Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.234{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046242Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.234{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046241Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.234{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046240Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.234{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1CC9-6136-1F09-00000000F001}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046239Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.234{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1CC9-6136-1F09-00000000F001}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046238Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.235{323FE7D8-1CC9-6136-1F09-00000000F001}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027376Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.902{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B54F2224AD3D4E15B8950F3A388372,SHA256=3EC04436DFE88BBA582EA1E8ACB8AF77C137C729C498C15BB53FEF90AA3735F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046258Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:06.718{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34B627292273F511109CC34D37A59CBA,SHA256=CCC83ED78B5A471DE22384930DDB6D0F9F6F9137684E532AAFF470D177907B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046257Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:06.265{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10616A983B36B51E29481DDC47E5857C,SHA256=ADD2D981F7328B132E9162CCD8BF59B04D3725E063C871DACC0B5D7C63B1E7C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027375Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.387{FFF7FB96-1CCA-6136-9906-00000000F101}34083628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027374Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1CCA-6136-9906-00000000F101}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027373Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027372Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027371Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027370Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027369Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027368Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027367Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027366Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027365Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027364Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1CCA-6136-9906-00000000F101}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027363Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.199{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1CCA-6136-9906-00000000F101}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027362Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:06.200{FFF7FB96-1CCA-6136-9906-00000000F101}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027406Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294293942F28EC5C6E74FE634A47408E,SHA256=EF8BF955DA5EB3C47F69452D4DD0F3E323A203D24170201F4CE30B6D0A490186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027405Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1CCB-6136-9B06-00000000F101}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027404Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027403Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027402Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027401Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027400Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027399Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027398Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027397Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027396Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027395Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1CCB-6136-9B06-00000000F101}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027394Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.918{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1CCB-6136-9B06-00000000F101}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027393Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.919{FFF7FB96-1CCB-6136-9B06-00000000F101}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046269Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:07.966{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1CCB-6136-2109-00000000F001}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046268Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:07.966{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046267Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:07.966{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046266Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:07.966{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046265Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:07.966{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046264Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:07.966{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1CCB-6136-2109-00000000F001}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046263Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:07.966{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1CCB-6136-2109-00000000F001}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046262Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:07.967{323FE7D8-1CCB-6136-2109-00000000F001}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046261Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:07.283{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7CF5B7940487B23148A823AE0792F7,SHA256=B98EA7FE7BF807F6B224B6E015432942D949D49501BA829DDCBF5040D165862A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027392Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.768{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000027391Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.402{FFF7FB96-1CCB-6136-9A06-00000000F101}36242340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027390Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1CCB-6136-9A06-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027389Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027388Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027387Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027386Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027385Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027384Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027383Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027382Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027381Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027380Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1CCB-6136-9A06-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027379Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.246{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1CCB-6136-9A06-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027378Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.247{FFF7FB96-1CCB-6136-9A06-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027377Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:07.230{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3BB36055686FA036C4B244F07A566DF,SHA256=68AE7CEF2C6E753A58437849404F7056792AFBF55B0C0DB8D739BF5D5B019268,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046260Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.295{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51789-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000046259Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:05.295{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51789-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000046280Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.634{323FE7D8-1CCC-6136-2209-00000000F001}59123368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046279Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.487{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1CCC-6136-2209-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046278Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.485{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046277Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.485{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046276Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.485{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046275Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.484{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046274Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.484{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1CCC-6136-2209-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046273Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.484{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1CCC-6136-2209-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046272Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.483{323FE7D8-1CCC-6136-2209-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046271Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.319{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1656585CD310A387453206C52A86B44E,SHA256=2D6C6543D1D20D11AD43CDE4A7C5705255A390E6FB3EF1AED61419AAFC401A28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027423Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.559{FFF7FB96-1CCC-6136-9C06-00000000F101}40522336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000027422Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:05.939{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000027421Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1CCC-6136-9C06-00000000F101}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027420Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027419Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027418Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027417Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027416Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027415Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027414Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027413Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027412Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027411Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1CCC-6136-9C06-00000000F101}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027410Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.418{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1CCC-6136-9C06-00000000F101}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027409Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.419{FFF7FB96-1CCC-6136-9C06-00000000F101}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027408Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.402{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E0B6CAF782D2F1DE722DE97D7BB81BD,SHA256=487858504B061BBA04698FC70D98F424FA1D8D52C5F993E432DD55272A105B00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027407Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:08.090{FFF7FB96-1CCB-6136-9B06-00000000F101}38041612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046270Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.188{323FE7D8-1CCB-6136-2109-00000000F001}6320692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046299Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.749{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1CCD-6136-2409-00000000F001}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046298Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.749{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046297Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.749{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046296Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.749{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046295Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.749{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046294Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.749{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1CCD-6136-2409-00000000F001}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046293Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.749{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1CCD-6136-2409-00000000F001}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046292Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.750{323FE7D8-1CCD-6136-2409-00000000F001}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046291Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.333{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BB489E28F05CF7D0EB4A44D0CFF52F,SHA256=AF712E6B884227399892C18965038EAC0445554FE6D7DDA6110A877F171917D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027438Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.418{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=688E64AF6485E6A398705E9DCD6C5669,SHA256=095FE6A42A7D26CC0CED955D7706434A027EE41155111343D1BDC46DB4E60415,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027437Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1CCD-6136-9D06-00000000F101}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027436Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027435Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027434Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027433Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027432Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027431Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027430Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027429Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027428Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027427Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1CCD-6136-9D06-00000000F101}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027426Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1CCD-6136-9D06-00000000F101}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027425Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.030{FFF7FB96-1CCD-6136-9D06-00000000F101}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027424Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:09.027{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4EB7DBF52EB6DA79CB8EEF3F0EA065,SHA256=7F7770DCBFD416CBDAFF584EE211530F4C0EC90736C37035D78B7275EAC2D1FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046290Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.302{323FE7D8-1CCD-6136-2309-00000000F001}63246724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046289Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.086{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1CCD-6136-2309-00000000F001}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046288Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.084{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046287Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.084{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046286Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.083{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046285Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.083{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046284Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.083{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1CCD-6136-2309-00000000F001}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046283Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.083{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1CCD-6136-2309-00000000F001}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046282Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.082{323FE7D8-1CCD-6136-2309-00000000F001}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046281Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:09.003{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60DBC13ADC409669E588A4D069B49B1E,SHA256=7328737BF65A02CA5F2F68A106408C701DA769D1C107CF4A0DF4862588AD43EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046302Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:08.672{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51790-false10.0.1.12-8000- 23542300x800000000000000046301Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:10.334{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DB271D4CD3484D1003092E564E6A69,SHA256=9E972FB17A3885E5580C0D6D3D5B3C091E59A23347FFC0BFF91A10193DC5B538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027439Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:10.043{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E03C1E347CBE03938AFA2B8F88598D,SHA256=FCEFC279B3435F0F8C218189046C836B910C612B787E70FDA9D1933D48F67C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046300Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:10.102{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6D386416C29D9524AB863551452490C,SHA256=E6BFDFE0EA0B24B5E20617749DA6954C6F7B50B76A2F1B2590CF8579E9576A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046303Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:11.349{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBD8AE5ED23BD8A5D96A9136C2E9C02,SHA256=BD1ED6A228407805B44BDA0D1A4B633F80130AA456D7BB31316E3374B1D3B96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027440Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:11.043{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7809FD0E9F3FAFE0519BAD0AF8E1397,SHA256=B1F8AE6506142472013252D1410D2584EDC4EADBEBA37067A537853FD26CC4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046304Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:12.364{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65036B88A82A124B56CF52A6EDA54BDB,SHA256=17ACAB540D3B05D0E6101593EEBCE245C71C9052C9C53A14DCD108FB06329124,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027442Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:10.971{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027441Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:12.059{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299EAC08229408820CFF7CA811B0EA63,SHA256=B911D547EF7C891C46E8AC5406FD0960AACF6FC248CF8A62597A33171F5D3550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046305Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:13.382{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F19ECA4CD875BFA22025D8B6EF78D8,SHA256=D31B7D0163097FC2158F160702E3BE50AC3FFF4879C5D8FAC7B03AD727522A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027443Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:13.074{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093427813CA6DE4A8DF11BE490A50D6F,SHA256=2145EEBAA0D97B97F29F8309E56F467016F54A9DAA1109820D62D910DA7DCDF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046306Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:14.401{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080860444B62A57FE7ABA9043F434722,SHA256=4E31193AC9F56F296A01D50E6B676E96C5A09E79605F1BD082F0C86F85880686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027444Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:14.105{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7ABA1A5FEDC0102D239D63E158FADF4,SHA256=D44239AF9A8C5C649BA5496553E2E5C884A221B62DC6CE58C8C56A88AD0D0B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027445Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:15.121{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34C961C395FE18F08FE7DAE0EA812A5,SHA256=6C57DE5BED20109F705A6735594BA9CD7C4D9DA79F69B86BEBA48CE07898994C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046307Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:15.416{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968B959AD53782B558F99D444E998B4D,SHA256=D160493C931E5EEB0A933E0F2F676B5C21ABA027F773CD44243C0B9242E09CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046308Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:16.430{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79948FAC910801FDDF6E7C21D5476D8D,SHA256=899D18536A81AC886DA5AB5C436D75974811C8807923CF61A7B12C2E230C4F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027446Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:16.137{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3691D43454ECEC634D558F065DEFE117,SHA256=3C5343E609AC957DC7F00A29AB5FB203CADA2C9716117F9F37FE3658E1D02057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046310Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:17.445{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB052E0F91D55723FB809A1825333D1F,SHA256=C826C384DD00F12A1D8ECD50D057450A274F8DDF5464FB85C40DE261D34AA986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027447Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:17.168{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFBB8FFF3A287DD71E888D420C8F332,SHA256=B452897A71F07DD1A4DCE6E69148023280ED495863E8C65976EB4581EAACEFA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046309Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:14.707{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51791-false10.0.1.12-8000- 23542300x800000000000000027449Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:18.168{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F83ED85A3FEB1DDDC4AEA4AD67EBAD4,SHA256=1DAA1EF7B6F5107EFF885FC999522E9408C1F87D0657F9A945056EC2277181DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046311Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:18.460{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAE66A21C089FDD964000B015A150F4,SHA256=E60C21B096E6367864F8F287D02A4A701531A6C7EE018F2D76EB400E827EAB0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027448Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:16.018{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027450Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:19.215{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE64B67396D659ADC9F2317B69ED169,SHA256=80F4397CFE456CE4662C2C8FC5A396076215E82A1FE13A6C626901B6F64C35B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046312Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:19.478{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F24817C9A2F143214589AA7AD29C325,SHA256=3CA43342C333A258479503B866145E573FC91C1A24C12E777453382D97E01DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027451Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:20.271{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E743246FA405BDEE6CEE3ADB541D036,SHA256=2E36C5B2C4AF4D74FD4E498AE8C363FEE271DB8518726C58498BD408D275204E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046313Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:20.497{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91D28D8A2FBCBFA0914225DD37E2E47,SHA256=F114AEA337515063E1999717A2DC17409D0BB6A9CA4FDAFE39452EAA2F99FAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046314Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:21.512{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAF33B0A3DFEC62E70D1BDD895B4B49,SHA256=9DD7482A2876E66843ADB2DD25FDFDD71829A25ED49351734C624EA5BDAE593B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027452Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:21.287{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCC52E8636552EDFFDF702693D86534,SHA256=BC8B8F23A1E39A2B1AC8605A8146567A59FC354215E56510D7FC7F9C5EE7C5A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046316Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:22.527{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800A5ED8B423FFD9F731803B439872ED,SHA256=B6C4FE1085F4E8D0E0CEEB96BE0A774A28341F71EDD97207E7BEE88FE9682702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027453Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:22.303{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56CF7C65C3223C6C55F7E80107A24C5,SHA256=4D112EB9D8AF36F924131EDEDB4D7F953836D3F148A2C760F88406442357A603,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046315Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:19.720{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51792-false10.0.1.12-8000- 23542300x800000000000000027454Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:23.303{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371DAC8285ED6505856973632CEBEF1F,SHA256=AC8A8DC7056A65EBBD70A2DDC9E34DB8B436791E603693269C6A6C89EF3B7F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046317Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:23.557{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF08FEFE78DE2969BCFB280D84909E4,SHA256=BE372A5AE20D8D8C50E5CDC274ECE058566E4AF70D296165448D4E5C4ED2FC8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027456Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:24.318{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013DA73E6DEB8AAA48F6B39F5ECFAC6C,SHA256=224AF71856107486E219EEEF0A925152CBA1D943756960CD5DB32C1005517EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046318Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:24.610{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169CEE8AB708210277BF06F5B3ADAAD7,SHA256=33D0BEE7ADCFB20C68C81D70235F0255E53BE253DA2BB3C15DFFA3FC6EA973F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027455Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:22.027{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046319Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:25.625{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784AA4DF3B43D7876815A1FDA491AB89,SHA256=63017928BBFA20A57C239FC85F9F51D10C2511F5C208D7368FEA243C42D7583B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027457Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:25.334{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8737CB6133DC1C04993091215ED7AD12,SHA256=6B2E756D048DC0035951F652A44920A8D63103E3E0CC448D5BE4E931A854505C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046320Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:26.640{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B952E6B7A318257D1D67C51288B90BC3,SHA256=7CA8910A76497EA0C137A45EE41D711B80EF6A68F52D87963951FEB9969D9DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027458Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:26.428{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F242F2982622F279BAC268974D79C886,SHA256=16A6FC7DC8EC49076449ADCFC377D6FFB7A49BE9A6A8637A126C285D2E42F7F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046321Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:27.655{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD011CAD6AE308F31BB6F5878AC50446,SHA256=9D0F254A4585EEB3BCADA47FD5F79749C788B8C79E95026E4E263C0CBD0E82A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027459Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:27.428{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF13566840FCCC6D6E2DCF644D2D39C,SHA256=7A25AF7E259D2AEF7CDBA42920A7976BEE560FDDE29AA95FA815DF62984C32B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027460Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:28.459{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831691139B13FC10079B9E424EE17C15,SHA256=B476CBCEA1DE18AEA0B213A08BD4406B04F497DDDC7A2F5335CAC4D7544282DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046323Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:28.672{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E59964C9C739E576191FFEC5D7E0494,SHA256=C77476EAD2EC63BD49C61A2477B1234573CD0963D1871CAD4AEC7AABB3A9C83B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046322Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:25.663{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51793-false10.0.1.12-8000- 23542300x800000000000000027462Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:29.474{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D08B3AFDC15737C17ACB5D4666AC454,SHA256=90E3A431385CEDBA7C6FD9E1DF078EBA352EF5C64F4CA955C4A9F1B676F99328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046324Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:29.691{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEEA34F31F25F2A1C5DDC50BFA01C6C,SHA256=905AD72B73E70923921C458247DAA44A7F34D41C5FF35EED26FC0739A9C6561B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027461Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:27.090{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046326Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:30.706{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65F52EA128001E5BF3BF27D7F246A8C,SHA256=A3D20D705DA9A45431FF413CC2BD0AFB026D4A9E33A422A6CD4DB44BA31872F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027464Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:30.836{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-102MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027463Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:30.521{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4488A36C03CBF2D70D53CA5593A3DA9E,SHA256=258CDFC4A2B5800D5768B0B95EDA40F81B3A0CCA18C33FEEB05618DCA48F6DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046325Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:30.473{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046327Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:31.721{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F2B8F303F05DAA1EE88C475D05CB9B,SHA256=BBD617319DD1F393ED9F5FD3B7FB6954C15D809D279AFE5E6F2C7110C8CEF23C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027466Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:31.850{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027465Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:31.583{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BC5877CE0DEC0C27D51B49FFB67EF6,SHA256=53BC0673CF4C1FCEA8EA4E5C00434D94593A19FEB522F7FF3E517318D68B2C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027467Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:32.584{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1971A2857F69AF23DB93B1B8C433AC52,SHA256=FC2E3F26676413D20115FF407F430490FD3F8093D4A4F15685BAFAB3E97612B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046330Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:32.736{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA61F3A476669190BB87E57B2EAC29A1,SHA256=3895441775B8342C6E5F99315CC1B2F99F84F310098A2AD12408F09ADA3E4BC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046329Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:30.682{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51795-false10.0.1.12-8000- 354300x800000000000000046328Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:30.045{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51794-false10.0.1.12-8089- 23542300x800000000000000027468Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:33.599{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496B8890543CE0DC30B28EB2DBE46268,SHA256=BDFFAC83379C1BBFB6D791F7A1E8BC36A99E1D9DF6EDF13DE6E26A5F0E749B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046331Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:33.751{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF04E7B965A4BCF443D5276011AF2982,SHA256=1CD910C5F2A0271F1CD2ED6FE6D1E867C390A649AD2B37B3FFA50C662A8736E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046332Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:34.768{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2136CCC6243A025CF94E0FCD71A72D9C,SHA256=3C97BF1342DA20CC576F31B2F5C4E85D1CC18B8C8747351E258CD373D5A85D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027470Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:34.631{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A04F0D0DD6BD0C18D5390766AE71F11,SHA256=D5ABE5DECD3B3D0ACBE87DA5227ED0504CCFF8116B1A0A1BB8B72D810BB5FA16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027469Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:32.933{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046333Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:35.788{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F595B94997AF17B075D465872E7CEAEF,SHA256=9D6CD3293BC88F3A09133149DA14F6550576E735E9DC519FF66A14F99417C050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027471Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:35.631{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACFE34C5B21D641FCDA4A83C629DF99,SHA256=0BDE87369A00807C7A165DC8EF4A525BCAFEDC76808A2427504A8F54016D4218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046335Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:36.803{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D5AFF849A641C3F9EE34908B31B6EC,SHA256=3F96150886FE317A97D589970A09BCD59C9460E67FC784CD188D72FD7D49328F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027472Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:36.662{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E41893A39B3CEA7B7C169C1EBF71B408,SHA256=FB25B34FFB954CFA593677F2AF21F010F24535B68D0957A8CD3FC3D886DB1EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046334Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:36.319{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C69040D381C4463D07F9A6CABF638679,SHA256=87515C373E7C08911F3D13FF86F8238874F2ACEC427B0AEF718E295BEDC953E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027473Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:37.677{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82866AB55E7E02D796ABD795F9E66FC,SHA256=A255389D51C12E80A3912EE54AA728852BA7DFE0F1C48A9C6737D0B05A570ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046336Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:37.818{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BADE8CDBCB00F18E308CE160287DBD,SHA256=67B350EC8A4B9238EBA61F90778187A5850E2EDE948EB4D153C44A7AB70C3B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027474Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:38.693{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD6AF6998337FBE30675645CC857FCB,SHA256=2AB6E64C1C5806DA8D6EE36F6D673920FB7AEB453AAFFEC790AB58073AC482B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046338Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:38.833{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B328CF101FA69793FB7007FF50558AB,SHA256=F5F0EB67ACB8A49B5A8F7A7CFDB671CDD0737D2889C5C2E9F1571748AA16288A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046337Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:36.694{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51796-false10.0.1.12-8000- 23542300x800000000000000046339Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:39.848{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66820EDB8EF5D9799CE2E748218CDC31,SHA256=5D5C95542DF9AEFBDE41FC4BAEB111DDCDC0ECC3DFBF8D5921321BF6BF0F9142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027476Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:39.698{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835E27DC43110748B20E63BFFD82C060,SHA256=7F00C064CF85C2A5BAA29B813BC8DEAF0453C6AC53597B4D87B5207F53865051,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027475Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:38.105{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046341Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:40.865{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD9539700EC736D8636A1765F6DFBCA,SHA256=1C40956F206FE7B6C18EFD7537539BC4694560FC0146637BC7114135D6E5574B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027477Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:40.698{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC84792ABD2BC377B4E0E4F6BA1A557F,SHA256=AA32817567CA417E720B94615F0009AAAA0C32F5915C7145E09FBACC28DCC746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046340Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:40.001{323FE7D8-022E-6136-0D00-00000000F001}9045384C:\Windows\system32\svchost.exe{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027478Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:41.698{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6968843CC3070ACC04F9729A16557ACD,SHA256=49152351AEA97182EF34714951862DC96041E2A8B41289B02F8CD04EC6230E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046342Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:41.884{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9F9C91D92CB4093AD098DB65D6B296,SHA256=C2377C0E4F57063AE55528F8BECBF8AE61488AB88DC1ABA4D9483FED3B4CF696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046344Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:42.899{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E817016CC6EB84506343669BACFF08,SHA256=5A718B4A74BF30DA0DCDB2D2809416860FC8CD4DFD248C05E27920B7C7C1A9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027479Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:42.713{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E53CE0F75C1856FDD0DFA22695A4C0,SHA256=32138BAC250F135C1E0845C7AB783C60933F31F01FA2010244520E6F2CF0D20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046343Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:42.548{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-110MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046347Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:43.914{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F6034E0C22FA8D6A6904B62859419D,SHA256=687600E3E7DB1E67F2EE951BA1977AD22B7D09B67E091EBAB13E7EAA1E33183C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046346Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:41.738{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51797-false10.0.1.12-8000- 23542300x800000000000000027480Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:43.713{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83BAEEDFB190217598D17CE84E60893,SHA256=179432D7E999EFC0C01D06F1D6404F54489CB558B59DC2C0268412AB7A36744C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046345Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:43.562{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046348Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:44.945{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9531BAB7BCB7FBDF99229EE235EB14A,SHA256=DFAD4F9DCDC16B9E3E55C1F9C90332EC231B86273714EA30E8D9D8DF160BA8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027481Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:44.729{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BC1F7A9367AB53489F12E72173133C,SHA256=7F71F08E1FCC8AFF373A6B439295DC9ED8EDF53B2CF5ECC9BC850BEA2672D34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046349Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:45.982{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3978BEF172C5DA39F8F743C9FA81AC19,SHA256=B080C70151B370F41E38C30CE59B65D68DBC30327BABDE653DF42E076D362A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027483Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:45.807{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697B47E5215E93579002530577CC8BEC,SHA256=37DF60EAB14316A478ED6921EA601BA4050774101891F3C812F4A88E08C20744,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027482Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:43.985{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51027-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027484Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:46.807{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4737B53AB07A78BC905C8DBBB3461B,SHA256=5D62B8352750971B5C64A09C5F75C5633403893062B95CB53850A73789E7CAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027485Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:47.808{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915DDB196CED1877E1542AEBC9896CFB,SHA256=AF097ABD90BFBC12CFAA05C1B786A65D17B697AC2605A8260637CBBBFEF35EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046350Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:47.043{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A93CD9364FD6875E2D0D93B50BF5206,SHA256=5A9A74AE22CE1823284EF7325F691F6DC8D822B6AD4BE4EE7D838DEDC03B0261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027486Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:48.823{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED178D62C86C8CD9ECAFD4EAD25E078,SHA256=C8972944F375D33BA6969E6F9135996BBFD1584F726C893757AF2E36DDE9C939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046351Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:48.060{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ED34CA1F0487B11221304916ED7DAB,SHA256=A53F035D0AEF0AADE2463A6139C304EB7A396EF58FCF0A86C40DEC91F1E485F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027487Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:49.838{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F25B4C6E610E72CB57D8888C65E69A7,SHA256=74F54DA5220DB68CDDC6380548A9E5343F48F027CB31A3B6EE456C75236ECFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046352Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:49.080{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732ED8D0AFE041EE78DBB30CB2BD2449,SHA256=7AA11B317E9C9E5639FF07214949F80E367FC23C559B8B19BA314919375832D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027488Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:50.854{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032575611C574A00090B93FB195001C4,SHA256=43FC5120229768AEBF4DFDC87372E7C9CEDAE4F2243FB19D354B46A9321522D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046354Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:50.110{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C294567C94659347FE7099F5FE86C8DC,SHA256=695D1F02A00B1D6B1F96DCD7B8D862F7B6541C1989299211C664123E8CE6BD44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046353Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:47.734{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51798-false10.0.1.12-8000- 23542300x800000000000000027491Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:51.870{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992E16A05DF2666BA6C297A7F0A0BF8E,SHA256=C20D1A3C0FD18A0AE18FC73E7C7274703B99369242C37BF4D55D718CEE9FD616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046355Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:51.125{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3A5325D4B894E78C7AE844C63347D5,SHA256=A48990A8138D31E0391F1749373EF3A43C1ACAC9209FDF466478D2E980ADC8AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027490Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:49.986{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027489Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:51.667{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2443068796CAAD9EAACD1A4385DCF7B2,SHA256=AF2C0231DBD028507811A27A9457FCAB6B81B6148569E3B3F7BB6160815F0122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027492Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:52.885{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7D16CF7B63BEF8AE9CD3EEE7593841,SHA256=51F913EFEDE8E363562A4E0EE78C78ADA4ACCE79D25E2A42B61283D2FFC0AC67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046356Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:52.125{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7759C7FE7033CDCDC9AC76B85B6CDFFC,SHA256=8A5BE5EE1FA79421A59968013F998FB9FB97D8E5774F0459709D16CA9E0AE19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027493Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:53.901{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4E42AB293797B87C1048709DEEC1BC,SHA256=0BAE8C3915D3B5B73D14342913E634C451F128D47B5296997FDA4E8478EA797C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046357Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:53.140{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2916809DC46128173FC6A8104BFBE58C,SHA256=F6DD323B4F202503282C7F5458A81FADE9E762CDBB5D20B0AF535EA4666B4983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027494Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:54.901{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFDB66F8772E7255413793586FE3963,SHA256=4186C39662B24259C69CBA0125F4E41C4242616E404DA8854E849B8BC24F0EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046358Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:54.159{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7716C71904794C89F496F12CC3B9C71,SHA256=AA4A9D4CC3B9B0FF600FD71739D57691ABCD752C1E9F89EE2D96C0F830CF2C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027495Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:55.917{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64402951BDA5157FDD70A8EA994405E,SHA256=A926C208B71B105DC304F5B240EA31869F3DB01814879FD253646D0FE62735F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046359Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:55.162{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308BD3A148922383F8E7E48BC7EA6761,SHA256=4BDBEBEDC77D8305B79F0E31C6496343B34EF44D86C994C5AF849C0B28A99A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027496Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:56.948{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB8AC53CC8181BD0030F0874342AEA4,SHA256=81DF641024F83186634F4523F0144BD99C8BE36E07A3E9D13407EE854717E06C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046361Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:56.181{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA55F53F2E0848AD51DA27BF64602B2,SHA256=E5631FCF1FAE35A340302DF047C8D6B93A44084B4B4BBDA2C4519A584BC9B34E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046360Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:53.650{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51799-false10.0.1.12-8000- 23542300x800000000000000046362Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:57.196{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BB619F1FDEB036BC3F2DD063F8ECBB,SHA256=FE99BC38CDFF56FD3F5CDE450039615C7B7324B138ABD8120F953D39B5193F2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027497Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:55.954{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027498Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:58.057{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDB6B535761F347494D6A636BF02FD8,SHA256=B446CF279A6F1F0BF20F14B42479F0C12A64279E46423ED1723E98BC21469330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046363Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:58.211{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2E7C3104F41F55F666AD91911767AA,SHA256=E617201630D18FC08DC3B649A45807E7051ADCF1AB99D9E5E2D0708B48CB43AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027499Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:51:59.057{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3807A410C3B5B46645E3EFCA0CF722F,SHA256=2CA56162B36818D371CBF9B844041ED8F0B5852055F2C864CDD8200AB3AEC2B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046364Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:59.241{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C9AB7F46897DE24D4CA5B9AF5D87EA,SHA256=AB9E0190160730F0812A4D0136EF4BB0C6972CCB3E6E69F0BC1007495664DC74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027500Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:00.071{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B7519E7CB4CAE7E9C17D1135D48D9B,SHA256=DEF06AD7ABD72605D69054E9A646EDC6C2F7D14AD6F05174CCC6CE02D73F15FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046365Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:00.258{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851C5DB92E1F6679B0908E661B624EE6,SHA256=4EB714D8BEB9EB6D40CEFD6F05B6582A2C28A5A8C239B91C556D21CAE56FF9AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046367Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:01.278{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C573187AF95CEB768A5A5AC94594D69,SHA256=D0D17576A342BEE8E1EA2249E6AA56CF887A0F9141D4A3EAAA96DB852E30CFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027501Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:01.071{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC470D24D98519DAA6F3181246BEABC,SHA256=06FB239DEFF43D1DA3E85DFF6A3DDA4803ED773E74BDEFE77624FDF38C6D0D70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046366Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:51:58.848{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51800-false10.0.1.12-8000- 23542300x800000000000000046368Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:02.292{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA499177303035E340FA4EC6359D8AA,SHA256=BFA71AB1E329463561231BBFF6409BDB51879DA2E20D9F295D6CE52ADD61FFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027502Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:02.087{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0DB6337E16B18FF2B8FEAC859316CC,SHA256=E9218E62FB6C462463F1D1D6F28AF01FEEF3C64295B0889BC2771253F246C318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027503Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:03.134{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3754AC6694515AA787DEDC1BAD20D711,SHA256=BEAE5781B4920FA4F6BEB9124A8269BC85DCC76E494651C6054C33541F02A0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046369Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:03.307{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BDF3D4F0136F043CCBC89B7CD7B6CB,SHA256=58BE80FA7890716E226190E2234A8D02CC403FA5C176CF7E29B4D4574B74836B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027518Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D04-6136-9E06-00000000F101}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027517Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027516Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027515Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027514Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027513Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027512Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027511Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027510Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027509Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027508Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1D04-6136-9E06-00000000F101}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027507Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D04-6136-9E06-00000000F101}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027506Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.884{FFF7FB96-1D04-6136-9E06-00000000F101}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027505Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:04.149{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65030A25FF58E1D4975500AE4DFF5D4,SHA256=154A35811D92F795AFF49A88573336EDEA1B197FACDD43BCC222B12CD2ED5361,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046379Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.775{323FE7D8-1D04-6136-2509-00000000F001}69446304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046378Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.575{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D04-6136-2509-00000000F001}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046377Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.575{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046376Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.575{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046375Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.575{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046374Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.575{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046373Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.575{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1D04-6136-2509-00000000F001}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046372Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.575{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D04-6136-2509-00000000F001}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046371Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.576{323FE7D8-1D04-6136-2509-00000000F001}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046370Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.322{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269AEE63AB8366F61AD7D5F2304E62B7,SHA256=3EE9FB19094DA1F6F65F98D374CB40292D6D6D5370F7C223DE951BA83DFE6A05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027504Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:01.968{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046398Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.939{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D05-6136-2709-00000000F001}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046397Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.939{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046396Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.939{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046395Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.939{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046394Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.939{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046393Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.939{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1D05-6136-2709-00000000F001}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046392Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.939{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D05-6136-2709-00000000F001}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046391Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.940{323FE7D8-1D05-6136-2709-00000000F001}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046390Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.593{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3741CA5BD48CBCCF834156C848180B11,SHA256=42A1BB4EE0447BA0E710F2FD6EB52DD34D0B639C494D84F5935B6ED67E132D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046389Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.593{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=139CE97A2AAB8BB0CFC8D5501D6EA4D6,SHA256=2F28305255EFBDC0ED11DDE6CF1D5781E19FE59D61FC5924DABC1A2EC742C02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046388Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.338{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FB3722B61EC2FDE2ED6957E9EB3F3B,SHA256=D0F27D3BD43969898F12CF7A64CCB07615E641EE9D182165F4AFE66E115260CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027549Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.962{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027548Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D05-6136-A006-00000000F101}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027547Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027546Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027545Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027544Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027543Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027542Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027541Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027540Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027539Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027538Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1D05-6136-A006-00000000F101}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027537Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.946{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D05-6136-A006-00000000F101}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027536Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.947{FFF7FB96-1D05-6136-A006-00000000F101}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027535Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.884{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83B24A4F3B2A12FBF0B722C01AED9F86,SHA256=D3C896958A06207AD06300AD4EE2F804E2A69207B03FF63D6D4BFEE047D76DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027534Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.884{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C368EC935D5B64022D85DF5F52CC42D,SHA256=1594A04BE55BBDE94582BA98287A72EC9262B3CCF43FDA6EC448733EF94B6278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027533Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.602{FFF7FB96-1D05-6136-9F06-00000000F101}40081924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027532Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D05-6136-9F06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027531Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027530Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027529Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027528Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027527Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027526Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027525Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027524Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027523Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027522Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1D05-6136-9F06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027521Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D05-6136-9F06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027520Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.384{FFF7FB96-1D05-6136-9F06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027519Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.196{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FE81778A1F0277F1C088319C889947,SHA256=6D3D881FCCD848ABF2FC44F7AFEEB3CF41175625FC34007234B1F84DEA276148,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046387Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.258{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D05-6136-2609-00000000F001}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046386Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.256{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046385Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.256{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046384Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.256{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046383Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.256{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046382Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.255{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1D05-6136-2609-00000000F001}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046381Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.255{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D05-6136-2609-00000000F001}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046380Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.254{323FE7D8-1D05-6136-2609-00000000F001}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046400Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:06.739{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3741CA5BD48CBCCF834156C848180B11,SHA256=42A1BB4EE0447BA0E710F2FD6EB52DD34D0B639C494D84F5935B6ED67E132D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046399Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:06.360{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69088E9C083B6A5834B6370ED5DD9D15,SHA256=A75B9D9273950065F09B080A4266BB5B4F754B12B1349FE21A5D83B56D3032DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027550Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:06.446{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ADE30F796CDD14509831E107FA299E,SHA256=D33934B31D02145A36600AD9BB53AAF17DF9EB08C20166581FDA399B34902873,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027580Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:05.796{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000027579Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D07-6136-A206-00000000F101}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027578Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027577Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027576Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027575Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027574Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027573Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027572Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027571Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027570Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027569Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1D07-6136-A206-00000000F101}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027568Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.930{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D07-6136-A206-00000000F101}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027567Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.931{FFF7FB96-1D07-6136-A206-00000000F101}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027566Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.509{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F9A6C4A68FDA520F68F3B2B67F080D,SHA256=4F60DA7F84F15D420EEA2CB64C135E9EAD95F259D754B78778AFDD4112F8374E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046412Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:07.891{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D07-6136-2809-00000000F001}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046411Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:07.891{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046410Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:07.891{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046409Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:07.891{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046408Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:07.891{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046407Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:07.891{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1D07-6136-2809-00000000F001}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046406Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:07.891{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D07-6136-2809-00000000F001}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046405Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:07.893{323FE7D8-1D07-6136-2809-00000000F001}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046404Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:07.392{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5950F917BB8D9EEDC1D51017F8F4C4AC,SHA256=BB3D18056444C6A01547B1DFE7E414E8F2B8AF1023D45C07401B396075E0AEA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046403Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.315{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51802-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000046402Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:05.315{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51802-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000046401Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:04.648{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51801-false10.0.1.12-8000- 10341000x800000000000000027565Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.446{FFF7FB96-1D07-6136-A106-00000000F101}13681296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027564Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D07-6136-A106-00000000F101}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027563Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027562Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027561Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027560Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027559Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027558Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027557Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027556Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027555Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027554Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1D07-6136-A106-00000000F101}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027553Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D07-6136-A106-00000000F101}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027552Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.259{FFF7FB96-1D07-6136-A106-00000000F101}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027551Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.055{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83B24A4F3B2A12FBF0B722C01AED9F86,SHA256=D3C896958A06207AD06300AD4EE2F804E2A69207B03FF63D6D4BFEE047D76DF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027596Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D08-6136-A306-00000000F101}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027595Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027594Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027593Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027592Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027591Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027590Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027589Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027588Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027587Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027586Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1D08-6136-A306-00000000F101}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027585Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.602{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D08-6136-A306-00000000F101}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027584Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.603{FFF7FB96-1D08-6136-A306-00000000F101}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027583Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.540{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B3A9AD15F629A6E47215AC6125436D,SHA256=F02D63B7B1448E8A0A8C5E5C4C98CC76F87CCBF532764EB16197E54A13AFF2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046424Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.906{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C24050FA6ACF8D2C0824CD432B1672D,SHA256=F4DAF2555A05DE35BFF99532B07B0867B597E89A0C16E3E81E70625B10663E60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046423Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.659{323FE7D8-1D08-6136-2909-00000000F001}53924832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046422Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.491{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D08-6136-2909-00000000F001}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046421Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.491{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046420Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.491{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046419Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.491{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046418Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.491{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046417Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.491{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1D08-6136-2909-00000000F001}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046416Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.491{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D08-6136-2909-00000000F001}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046415Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.492{323FE7D8-1D08-6136-2909-00000000F001}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046414Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.422{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECBBDC04AE6B5BD1E60A83E7456FA0E,SHA256=FCA8E145E491ABF8E4B55C8B2C8E0C2DDBEC376D29FFC75248FADE1E45F31802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027582Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.305{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8C5B5E084BD1B123269B94F96C58317,SHA256=02D270228EB14FC8230FD6BBFEAAF185699B6DBEEF0B100DD8CFA57EAAB0D104,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027581Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:08.102{FFF7FB96-1D07-6136-A206-00000000F101}604996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046413Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:08.091{323FE7D8-1D07-6136-2809-00000000F001}33926148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027612Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.821{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5259834D7E76DCA90603D3E6CA486A29,SHA256=070063D6F186D68F10E519100CBDE63EEAF5A04601BEB1AE50C923EDF7CBD65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027611Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.821{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42249CA90FCCA146D6300ED5A5AA2BC7,SHA256=39B1A8F205FC3AFF14F2C09829B36F064097D9297500340ED5CE4187BF939FC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046442Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.690{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D09-6136-2B09-00000000F001}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046441Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.690{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046440Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.690{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046439Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.690{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046438Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.690{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046437Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.690{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1D09-6136-2B09-00000000F001}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046436Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.690{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D09-6136-2B09-00000000F001}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046435Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.691{323FE7D8-1D09-6136-2B09-00000000F001}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046434Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.458{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050CF3CB2DC486EBA77AD62BE4CE3413,SHA256=31200D8230C53952DC27FB7DC854E0BEE1293676E17ECC9991EE8A4A12F1ABC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027610Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.259{FFF7FB96-1D09-6136-A406-00000000F101}34803348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027609Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D09-6136-A406-00000000F101}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027608Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027607Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027606Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027605Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027604Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027603Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027602Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027601Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027600Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027599Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1D09-6136-A406-00000000F101}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027598Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.102{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D09-6136-A406-00000000F101}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027597Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:09.103{FFF7FB96-1D09-6136-A406-00000000F101}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046433Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.259{323FE7D8-1D09-6136-2A09-00000000F001}59405892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046432Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.090{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D09-6136-2A09-00000000F001}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046431Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.090{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046430Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.090{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046429Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.090{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046428Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.090{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046427Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.090{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1D09-6136-2A09-00000000F001}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046426Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.090{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D09-6136-2A09-00000000F001}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046425Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:09.091{323FE7D8-1D09-6136-2A09-00000000F001}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027614Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:10.837{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369FED04C1FF2315CFF105C3F0DCA854,SHA256=E044FEE393D49A25924F7838EC3CB4DD29D25993139C57B16C13A790A3894C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046444Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:10.489{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FBAF55D4567FB54C43744470CA726F,SHA256=2BE9AC067015CC4FF38CC45757ACCB2C4B8444E362FB7B246B59314C5BDD2F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027613Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:07.941{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046443Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:10.105{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CAF038373437745BD73B1AE1CA1EDA7,SHA256=7E5B0C474B429120E576BCBDE34AE8AFF96AEABF2870ACDFBFC69CD23EE84323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027615Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:11.852{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0884FAEE1254F420DDEBF4649E9F5118,SHA256=56BE4E7162211A77C681A708FCE63B6F33D2A28BFEF6D9CE9F9F5278259A9C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046445Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:11.520{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A80E884870683A7244172F8DBA8C334,SHA256=8149FE225386F75776A6B131FAD3D894823C8ADC9F5F1EC2216DFBB2EE5378E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046446Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:12.552{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DD1FF57C5A38C3B9A39D84F0B51D2F,SHA256=D1D7566F30A0AD7A8CE228BA1254A38B4283F2636516BE0A8A91C0A5A75F4439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027616Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:12.852{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A529FC61AC94ECB539ECC5AA89CA0A80,SHA256=86F372406ACA113895393D5F1CD89508740AADCE36F87012E8BBEA317B1F9CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027617Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:13.884{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3D5EAAF99C46D6F6FF5B84D275E9C2,SHA256=F2773F328D2D7044775D4E5A24603DB06C5BD3F6A2817F12892AFADE2088FE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046448Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:13.571{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C16DB495423E7E181F8FEE864D7D871,SHA256=BA69852902C7C439441F6F653735FFCF2D52D8FF67BB9E0AB5B544589A8001AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046447Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:10.664{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51803-false10.0.1.12-8000- 23542300x800000000000000027618Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:14.899{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC1B21F93EFEA1AC0B3727F77A0FD78,SHA256=28BBB0A67195D102FAE430511DB2304DC5D3947034F78A5A354F6CE43A121854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046449Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:14.588{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6031638E6A5124DC4E110ED5082ADA69,SHA256=4E0B079B0964F777D7F4455836058F5D5B4528A56FA5A223002C2FF189C0CEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027620Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:15.899{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49859B578F13C955C6A4A42CB2292A8C,SHA256=228AF66108B52AF1F35490D5B039407F0A1D84BE15E34F364AA2F14F1F496A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046450Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:15.603{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A480D5E4E2E2BA0EF9BF011108E47266,SHA256=8F89AAC09D5CF2B54ABD4E02B1281277682D6BB52792FE82DC48BBF2E2983BF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027619Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:13.983{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046451Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:16.618{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B47DC3A57793F0589CEFF05551B720,SHA256=4E20426EDF39BE7DE5AF512E08F733B4964921728CF39FD39E60108981FFAAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027621Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:16.899{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CAC864F96D6067A382EF54475AF68E,SHA256=FA3E26B8A50C05D2865E36EBA0ABE7A9D558535179D2CFCA6D11B912BACACCED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046452Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:17.633{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C638385143031BBF38519CEEFA326FAB,SHA256=79ECB229B9E5C22EFD562409EF3CC039E69DC6096A70B26CE175FFB06386BAF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027622Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:17.915{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D061333C1A7697329BA2420A3BB9E2,SHA256=85F694108E2903A9C4AEEBBB65E2E3689A865E1BAF5690C0D1F20196AA5DBD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027623Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:18.930{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E5FEFBF9A4D18ED4426D2571286A10,SHA256=C389A1A32D3964CF26645AFCDD22C6D8F704CF763CC30649E8DE378DF70A0B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046454Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:18.650{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDEAF06DB7ECE83B61AE65D4F9320B4,SHA256=7D58D4169833B8287B55F5D909408CBE2D3833D9F5395FDF21CDC8DF0BB98680,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046453Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:16.693{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51804-false10.0.1.12-8000- 23542300x800000000000000027624Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:19.958{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDD8FBFB70235B71E3F65585B0FEE74,SHA256=67D1BD092D684A0C0D3D7B201F94BC7EAC1D277C7CAE9945EA5DAF92AD06BD4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046455Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:19.657{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C82601914C2C43DD394AC039770A438,SHA256=F7E67B6AC4DB72D0565007781DD37C7B3C6C4D310153D17B513E947FFB97B3EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027625Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:20.974{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6172C6CF025CAF8B58A73864A2ED0E,SHA256=5F8F55F99469E19B36F14BEE3E5AA6F7F71E7731A54C7DBC2F2FBA10004159E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046456Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:20.676{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5D6BAFE198794DB4501C59AC456339,SHA256=23C3D22C0A1E47DBE76D8D18298148D550C1639487873724E60D50CEAC1D98C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027627Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:21.974{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6520014FC794F1393A0017688AF794D,SHA256=A6E2977C67300D7FBAFFA0FC2703B2B9B757DD81F9B8BD78AE1EAD9B9F554B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046457Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:21.691{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B51A9B413CA2D0D6BAC8D40E21EEF01,SHA256=D1A162EC85576AB44DD2CDE9A5695237673B0BB04155A29AEC8DC49561B68C89,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027626Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:19.062{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027628Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:22.974{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDB5AD63112C11BA24E0A48D8DE4B74,SHA256=EC5578C2ECEB5572CF342632F5E419364517CA215A93F626BFFC201021B5B153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046458Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:22.694{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6AA3EB1E8E8AC6790358875E1969FA,SHA256=EFC49A0DF809E224D178F0AB6A48B3FECC8F05742D057CF4B6B942124C3FBA9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027629Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:23.989{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717905B58A23704264D09CB0C90B2BD2,SHA256=65426F8D05B82B307C49857F09C6DCA82712EE2C79891EEAF6F2546DAC66A062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046459Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:23.709{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1EACEDB6F6AEA3E3D6A29708CAD485,SHA256=3405D995948D74752BF8EDA5427FB51B1B81A759ACA513A1A8F4D6B911229099,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046461Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:22.701{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51805-false10.0.1.12-8000- 23542300x800000000000000046460Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:24.724{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDCB6AA8A9402FBF35AFA5B5336F162,SHA256=03F15B8BAE858DE8009A44283337070A76DC47CECFF3597352145407C4ACC821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046462Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:25.739{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB07D46B7381FD5CE423A0C46A024294,SHA256=4B51F63B6EE72CAA293069849D41B79B2E062FC0100F0F0319FF7EC387B45065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027630Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:25.005{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D0B30E1D0B657ECCFE0CE151CAAFEE,SHA256=0B0DA3B1BDC10DE7609CB92C2AC491F5610C52B5A5237C088EBD9C21771C4FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046463Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:26.756{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC56E5BE18881485B257EC64CF1BA4E,SHA256=F9057095787769F349746FF6398A5E8560E1690A1FA038EABB87C2C6397EAC85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027632Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:24.933{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027631Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:26.020{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD06219D9BAC3FFE39E66F70CD3F926,SHA256=0FAF57947C39EF0CDDA409644651294FBB7399E91D064D7E3468E831D146316D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046464Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:27.775{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E5E98AB626212D685CC6C8E6FCB3ED,SHA256=ACACD844975437FBB608B246B609E90AE0F91133E26036772083C3CCEFB6F18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027633Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:27.036{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F31FEB44761D208CA4573A270103815,SHA256=D9EF93BE4ECB56F29F923C7D4F54A2431B97D752E6502EC672B6C72A3B943EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046465Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:28.781{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84DCD6645A78AD716A37F45A7C051D4,SHA256=D6157A2FC813BC42B566ADF224E8EFD663BB314E5888C6E2A958690B3075D976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027634Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:28.036{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A538CA6516673EEFE932AF32C8BC153,SHA256=A38DB6691102D2864ADEB4AA90CBEEBD7586747101FFBB8AE9C1B1E4D276062F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046467Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:27.713{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51806-false10.0.1.12-8000- 23542300x800000000000000046466Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:29.796{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B082CDF1953DF9FBAC270942CC0926,SHA256=03F71827A918BC4EC618518AC179A5C449184621BE2319A68051FB803D2B3C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027635Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:29.052{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE4136FEA095CAD191A4A4B015E6E4C,SHA256=5D3398575304BB9289979D877580881D80DB86740844A5CF15F4598946344735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046469Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:30.812{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B032112F22CF12BF249D92D97682CBC6,SHA256=621B14296909DCFD8D625A6B63973D473C0ADF37E06F10D3242C620D33639D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027636Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:30.067{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E2A4825FFFD408B147C3B4D94CB654,SHA256=5F697EA5477DEDA99807BB256EF08B809C967465BBC7788531A08841F6D4EE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046468Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:30.497{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046471Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:31.812{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF7333E8FE50558337707C477A2EAD0,SHA256=423D0EED20B27928644BC4BDB88B296850DB146B9BF2EF8041491099CF728AAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046470Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:30.073{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51807-false10.0.1.12-8089- 23542300x800000000000000027637Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:31.083{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A8E563CFD4CFA8220451EC9DB239CB,SHA256=D2FBF52BF2B7FFC5F98CD06A769B86F876C60E8205F0617EC435F60EE6A83878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046472Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:32.843{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF35E673B5E4EC85ADBAE971C4A1B3A,SHA256=3F05583BC88AE46D12393AAAD1C8CE7F720BAB8BC4097A743CDB4EADF797546D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027639Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:32.368{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-103MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027638Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:32.085{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DE11E8C0C3570F3768BD4EB7AAEEA1,SHA256=6DFDBE497B8838DA41BDFF623FAABB3B56D796BDCEF404424C182394C88AE7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046473Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:33.860{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97741A279FE1FA1A0A806B2113837EDF,SHA256=BEAC7A1890FF5F080DDE9534C96E166E6232431C8887673B8A77172D1B073BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027642Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:33.370{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027641Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:33.087{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6074ABB11276A13135781BF5213371F7,SHA256=98719E7D62C3A4DFDCCF17BFBDDB76F560D868AB35EFA9A3161B1FD481B749ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027640Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:30.886{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046474Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:34.879{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816252A9C00FE95EB5B41FEBF7EDA59B,SHA256=76B6CD86EA4CC3D894DB37D89D48A97249BBAE49396D5AD80C2DC8A3D2479ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027643Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:34.088{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E03AFB0F773C2E1906FF2F4EABF3EC,SHA256=D3A2BF84AD44940CFFAB0150433978126657CC4AEB83F8DF84798AA10F340EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046475Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:35.910{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86402A4995712617B76BE2A9407FB2AD,SHA256=1853596AC68DE2CD609C7B21661D170D7B6631F2CC691D7E184257E5EC708D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027644Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:35.104{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA1CDFDAB948BE2C592A9FD7F913A19,SHA256=A478EF5E968B0093C4F8E2D90A0D5A4544C828E16C801EFCDD76602519B39767,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046478Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:33.671{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51808-false10.0.1.12-8000- 23542300x800000000000000046477Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:36.943{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A417D07C13DAFD1B9F26C279409E9F,SHA256=FFD04D83DD01A660E0CC781387DDE6A866CAFE59BF252AB2A70E95215D46E6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027645Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:36.104{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415124556A1FFE1814E24E21D0EF44A0,SHA256=D5195D3DA4106364CA3B63C2E4E4408DF6A666BB5C7598758787461AA754032B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046476Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:36.325{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AC02F28751D56445E24BBFED23D009C9,SHA256=6CA27F898230329A622A12FF7731DB0E473C090F208A7563F153E7752363387A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046479Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:37.960{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DECBF858FAAEDECFE011AE4FA188A8E,SHA256=96E1E97735E12F223A5AD8F12D21D61B3534FD39F2DFD27717B53CFF4CCF9CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027646Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:37.104{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E793DB03AD32000BE50D386EAC7A1D,SHA256=53FB397280CAAE033CD23D14426DBA0BFE12EAF8F2B9B0071A769EF56F4F6A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046480Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:38.979{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DCCE5A8EA5351371F9DCE8B2F0EADF,SHA256=7D460492FBE259BFDAC11EA1A1B0BDCD35A33D3313E470F8B4480B1B2711FD5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027648Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:36.048{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027647Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:38.104{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1184E63D502BFB91006A9D2B25989B,SHA256=8384D7641393719C979B8CA9F944E73F9E7D750C52A90C0AC31DE0A4CF279B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027649Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:39.119{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F239C6016E01686DCC04A8CE4002DC,SHA256=8AD41E73E231DF62BE5F65B1149C750E2DDF472CEB6C11451B747B73D2D8AEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027650Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:40.134{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B26B9BF4544EAF16E089F5CCAEC77E9,SHA256=C489C8DA83C467D39FE27D9B70A9C9C70AC504732BBC3FA3DC9C154AEEEBF32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046481Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:40.010{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0C574E37B6481F1384A07A0FF5F215,SHA256=91E3B75B6ADF5DA62FAD43161B3D7C0728BF8101AF4171394AB122787AA9D9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027651Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:41.150{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C08BD2FBB145243E9AD29419F70AFF,SHA256=40320DE72BF3F36E4716F1FFC7511881B1AFF4A21C96F993CA2AC8E867F58316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046482Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:41.026{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939FA5DF9000EE6185EA97AF696C6EF2,SHA256=7B22B1B399595821C8AA0276E6FD3E8FD744AD4875C93866EBCCC468670366A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027652Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:42.166{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245E1B900CF040A040D1986747BF3322,SHA256=DB2FAE570D49745A5CC1B88C04F90D60E2512FC8B886A57D9C51F58267FD6EE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046484Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:39.652{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51809-false10.0.1.12-8000- 23542300x800000000000000046483Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:42.042{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F927E11B2F72986669C04D599C877707,SHA256=A0B82B371715A49AA12F15F57A8D05D13277E2BEB6019E0B4F57308907807B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027653Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:43.197{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76429B4CA50DD2C711AB63D6E3ECF5EF,SHA256=4F97449C5619E7CFE932A2BFDE492E36F2673245025E271F1D67E1E4080BE325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046485Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:43.046{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A534E88577C76C6346663C802EBA44CC,SHA256=A72EF8423A61D946CE3BCA3B29681BECE7B9C140E3E155C6279477E7E5976540,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027655Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:41.906{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027654Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:44.213{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B3041780A82D734B3C9D2C71A85549,SHA256=312D6B6F60AD7B55CAD4B28FD3E3A46BDF18D685BC2603D3325F9F316AF6E3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046487Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:44.086{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-111MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046486Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:44.064{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11ABAB67DF045EA218F1CD08F8E1830,SHA256=E31A5A74C8F1B0F9EE463C81118751523329AACFD7AEC61792B736BE60EE7F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027656Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:45.213{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D48E685C255B18CA96997A8C812A75,SHA256=93430E307148B994C523BD91BD2E6064C91416A2EF4BA6F6B93A3FA9C246287A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046489Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:45.087{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB46CA0E5D4852EB4E23CA3EE4649DA,SHA256=E84CC586DDA318FBC9B0F023D91DEEEC65236F82E4EF26D8FCAD5FFB4FBF8E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046488Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:45.086{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046490Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:46.101{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BDDC70A0A5D0E016C8F83C551C6774,SHA256=D4C657AF559B0E34C4A75F345CF066B2800418BFAA04ACE1D34F074650E0420A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027657Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:46.228{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B66FD594E4DC852804393D22F0C506,SHA256=1A354268D6EF13B7D15A3674F94F3F5414366AC6A96073EE55317A900AFE7515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046493Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:47.147{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40CEDB370A041AEE695F0A54921FA1C,SHA256=A93ADD6E6FE1F1FE0C628E77C60ED1CD190493FE7C537F5E94E7650CDF7C96D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027658Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:47.244{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A296F96CCF3E36D68D3DF5B222761F02,SHA256=61E26F905FD46C86E16E8F8595844DA1FE28658BBED32813878C903077131B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046492Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:44.753{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51810-false10.0.1.12-8000- 13241300x800000000000000046491Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:52:47.115{323FE7D8-022E-6136-1100-00000000F001}492C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a326-0x79605a54) 23542300x800000000000000027659Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:48.275{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA72CB2CA3DC6C2FDD1A4DBAE87639AA,SHA256=7213B330EB7E39E4CB11054BFA3CAF4C76AFC9D9D591983427C30AB3D95391F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046494Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:48.164{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F69054FFE57E3AA707DE1D626AA223,SHA256=EADCE13180617006222BAD75600A1D5EBBA14A7D3CC2B44A2A41B3E2BBC2310B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027660Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:49.306{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC70AF08A2754BA2F003EED8D251D52,SHA256=60CEFF631504C9CE187CDA1CA83B89B0221D75DCC122946CC752768179E5C646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046495Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:49.183{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC758F9CC1A120D9B068E07E7CE6027,SHA256=D62800DA2E512C59355BF793C82DE938B5A20AD25AA84501D13218F9B9AF29DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027662Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:47.891{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51039-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027661Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:50.322{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3C8A6DBF509351470849F8D0325B0C,SHA256=3B3E85E526A7334A5FC90FA81975971109D42A42986421ECCB57F4CC89696D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046496Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:50.183{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E1914465AC58C038DB20BD6D0F7D41,SHA256=CB44F8F1CD4A13BCAEFD22F273B8199CE77DDAA49005E6C5B0F72CEA147E85EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046497Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:51.183{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121C2EBE98AEEC44DD0591C303FBD9B6,SHA256=C4CDC16D7672ED3C0F3D69CE5D4735D48A19466C42B9DE91FC24F082719C2178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027664Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:51.681{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C1CC382C78C0D8BBD9BFBBCEC267FA99,SHA256=64770FDC27E07A2FF5C9DD39737AF666872188749735D9CBEEEEA7E7F014A693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027663Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:51.369{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98F09EC7AC043A609859CBA2DD978FF,SHA256=1D9D7F080905FFA711EB9468530904C67BF5C7AEC8DD5D838EF3BF906957E30D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046499Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:49.837{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51811-false10.0.1.12-8000- 23542300x800000000000000046498Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:52.214{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377481D3098AF0DF653DA26AAA7955C6,SHA256=98421698B09B819A9BA15883347DCE248425AF33690FF6D3AE63DCFEF0405A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027665Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:52.384{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5561FDBBC6C1469D9924320C2AAA41E,SHA256=8055B5271DE64747E1F1504AE60314AD084B0A86BF600B8AD3622FCCD9AB33F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027666Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:53.416{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62312516AA8A1EC33C8675137E095FA9,SHA256=D06F383C27156A72E625FCB3A275CDDA25B46AADBB901B5786E4748A8B68A238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046500Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:53.228{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09C885180569303B48E878C4E150227,SHA256=2493C4FF03D2C6067BE5476B15F571BFA1A3D8522309DAA151517E949C8C2FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027670Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:54.431{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5C73701C66F868C2BC23154AADCDB5,SHA256=389FB9F90308FFD637DDC467E06CF2FB58EE6913A174244469E8063BCD5E8213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046501Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:54.244{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DF0881197059B55547D73060BB959A,SHA256=E2C8A30B737AE06D48EFB06E6060744571B0F8165A5711194E3563A033F4F92F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027669Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:54.025{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027668Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:54.025{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027667Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:54.025{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046502Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:55.263{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F637CA922BB7BE7BF94F50A1BDBF84A,SHA256=C09978C5F99E8C52CE29D898C3F39F2685E5B49017FFB131501980F5501B9B79,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027672Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:53.078{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027671Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:55.462{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48701D26CBC423AC07582662EEBEDEA5,SHA256=E1E1CDAD9EFB2BAA09A93EC10982AF55522EA3C311E74A9B3DDC2D71D199136C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027673Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:56.525{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF172915CA70B2AD131A2ABC5894F412,SHA256=0940EC5411129F28FE9C842E169CE578725B2DBED93FB1B396059A279F8A64F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046503Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:56.280{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D52945BC522C717390DD488AAA58A4,SHA256=DD5DE3DE9C06A9A58CD9DE42A44F190AF0816738FBA7D37D84632BE845F297CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027674Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:57.556{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8873249B96525089D05675B5A721399,SHA256=2D9528966BB4285802C547B930E668C3BB1FF487071D76ED901F6832004CF22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046504Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:57.311{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3DE0954C6FF569AF5856B0B50A7A76,SHA256=2C5F35FA0A5E1317C8EEF0AC06974E136D7A863FFE5E21525DA9F59A64EAC38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027675Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:58.556{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF063ABDE201ED4BA4AF6F295407265,SHA256=3CAD974CD87C670E4E3775158C6073021BC8AC3CE4B151EE91325ED818BD856F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046506Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:55.650{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51812-false10.0.1.12-8000- 23542300x800000000000000046505Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:58.341{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE7AD77BC9F86A57B926E6730521A6C,SHA256=E7D50153FD9C123F4556FB327AE2A81D598864648CB58BF042320A77B983B144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027676Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:59.561{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76FF08B57644861D49CC5F691E27DE6,SHA256=986D87ACCB72009D6CDE805F96DE22994AF4EA72452E2D94C4CBFE54A5639EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046507Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:52:59.361{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BB22AE2BDFEE864ED8F3CAFAF484C9,SHA256=A0F9F4B8AEE81269BE194E14201AE424404FB6ECB7221D330A6932C83AD130E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027678Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:52:58.094{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027677Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:00.561{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD9AE3E3A20F638EF2107273CCBA29C,SHA256=7D1A30CC6568B807973B9EFD184A17CDA9C1A607A23A91E73B063BE3FE2E18F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046508Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:00.377{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D670EC4103C6D7BE7C294A2371AC54,SHA256=F20EF31D45B35FB43A3567C02CB96C31ABA9FEEFC8A21C862E8E827262660E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027679Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:01.577{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D462EDB0EE9311298E2EB5B3905F6E8,SHA256=27AFAD1F13710FA96C7ECA11911FD331879D8A01AABBBAF4F69CA3F17EDEA26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046509Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:01.408{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2DB469435C5B64B5A32E3933C50DA8,SHA256=20C6D553F7A9DD404AFC5BE661B17561A0873E60CEB501E4980FFAC19E99699F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027680Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:02.577{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A740C916B3249369771E58C1A0B2B3,SHA256=6D4ED366BA9D639DE3A7CEC390FAEAFF3479A3B23EDFF041D6C854B60D37A228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046510Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:02.423{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0EEDA3B21CA4587B6EC744C1F0A7FC1,SHA256=88DAFEAB4B707B28503122C8CF0FEEB3351A83250913F3693CCBCC1FA9A0C151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027681Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:03.592{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29142A8BF3686FA477EDD80862D9584,SHA256=A70E58C2CF58CEC5C0E862DB1CF466C8E8C0C8A8DADC86480BE0F2E8B03B2B7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046512Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:01.646{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51813-false10.0.1.12-8000- 23542300x800000000000000046511Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:03.438{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3C52E1E80B116E37A5ECDD12793865,SHA256=F55A16F3B1EC1595E3C4DF7350BC8C0F7D869B61276CB6C0791A7B057BB711B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027695Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D40-6136-A506-00000000F101}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027694Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027693Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027692Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027691Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027690Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027689Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027688Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027687Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027686Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027685Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1D40-6136-A506-00000000F101}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027684Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.873{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D40-6136-A506-00000000F101}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027683Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.874{FFF7FB96-1D40-6136-A506-00000000F101}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027682Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.592{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A2825561E7603968A6A2CB990F092F,SHA256=EB36A3F54CCD43AC9E3A49E042D6CAB3EEAE2D51AEC21B52E4938558C01165B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046521Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:04.474{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D40-6136-2C09-00000000F001}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046520Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:04.474{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046519Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:04.474{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046518Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:04.474{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046517Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:04.474{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046516Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:04.474{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1D40-6136-2C09-00000000F001}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046515Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:04.474{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D40-6136-2C09-00000000F001}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046514Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:04.476{323FE7D8-1D40-6136-2C09-00000000F001}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046513Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:04.457{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA53BB805CD0CBFC20C8821419B7668,SHA256=E3FED1B55782A14C36B5D2F8915A5453E5EEBE2A68E015BD9C88361C5CDAD464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027714Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.983{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027713Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.905{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB9903966317F567D247262CC7672FE2,SHA256=1BD80A6EF15F4B03E9F3B2D869FC366CED9C076E0B4D9A11D47D4D2B3D233E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027712Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.905{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=834034DD6C2610366D866C3438E8A79A,SHA256=4A894AD514AB0BEE9B6BF15C7122F9A9C0D364D1C470EF9A2EBA9A792E6789DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027711Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:04.083{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027710Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.795{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3E6CCC04C87713E134A7F988A31C92,SHA256=108B5AFFF74F3451F8D925DAF229F48F1EE94F481BD8259BE933B7D3FCD951D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046540Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.810{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D41-6136-2E09-00000000F001}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046539Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.810{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046538Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.810{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046537Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.810{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046536Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.810{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046535Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.810{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1D41-6136-2E09-00000000F001}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046534Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.810{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D41-6136-2E09-00000000F001}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046533Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.811{323FE7D8-1D41-6136-2E09-00000000F001}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046532Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.479{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A55B650DF1518C0424D9162CFEA1574F,SHA256=F68A552C532A320E6D6297F2D6DD8D1A34BA7FADD33CAAE2FC030EFF636D3FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046531Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.479{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D2C9BC5CB3864A597759D4E735604AE,SHA256=620CF2624DAFDEA321EC0C664F84FB17A5E8B521827D549DE3DFB85EE9999548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046530Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.463{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57252131B0326EE5C2E7CA5B28412DC2,SHA256=8610BA81DE15FEAD8B9902275E41E3AE2898B829B1D786597FA6D52CD5205D8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027709Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D41-6136-A606-00000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027708Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027707Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027706Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027705Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027704Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027703Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027702Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027701Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027700Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027699Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1D41-6136-A606-00000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027698Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.545{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D41-6136-A606-00000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027697Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.546{FFF7FB96-1D41-6136-A606-00000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027696Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.045{FFF7FB96-1D40-6136-A506-00000000F101}25602692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046529Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.137{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D41-6136-2D09-00000000F001}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046528Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.137{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046527Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.137{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046526Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.137{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046525Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.137{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046524Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.137{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1D41-6136-2D09-00000000F001}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046523Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.137{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D41-6136-2D09-00000000F001}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046522Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.138{323FE7D8-1D41-6136-2D09-00000000F001}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027728Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.827{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAF3C334724CCBAC07C3DBFB860B440,SHA256=E632DE430376B80009885EDE415914880149170E745402DDFB1B94A41EE3B421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046543Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:06.730{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A55B650DF1518C0424D9162CFEA1574F,SHA256=F68A552C532A320E6D6297F2D6DD8D1A34BA7FADD33CAAE2FC030EFF636D3FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046542Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:06.483{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9909B9FC3EF4540F5C737E9EF21A91E,SHA256=6BB2587A7C13BCC7B00800E4EDA18D29B2909A73AB7EBC614D1B0919382598F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027727Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D42-6136-A706-00000000F101}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027726Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027725Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027724Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027723Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027722Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027721Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027720Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027719Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027718Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027717Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1D42-6136-A706-00000000F101}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027716Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.217{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D42-6136-A706-00000000F101}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027715Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:06.218{FFF7FB96-1D42-6136-A706-00000000F101}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046541Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:06.154{323FE7D8-1D41-6136-2E09-00000000F001}60007080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046555Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.883{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D43-6136-2F09-00000000F001}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046554Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.883{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046553Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.883{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046552Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.883{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046551Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.883{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046550Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.883{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1D43-6136-2F09-00000000F001}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046549Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.883{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D43-6136-2F09-00000000F001}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046548Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.884{323FE7D8-1D43-6136-2F09-00000000F001}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046547Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.499{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F889C3946DD6F1E95E7E4D3D02F8B6D4,SHA256=DA2F3AFD768837E9530C17DC7EAE963C1879829F770C21C485E14DFD0C5E362A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027758Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D43-6136-A906-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027757Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027756Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027755Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027754Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027753Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027752Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027751Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1D43-6136-A906-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027750Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027749Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027748Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027747Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.920{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D43-6136-A906-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027746Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.922{FFF7FB96-1D43-6136-A906-00000000F101}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027745Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.889{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98634B50C7AEEBBC1AB84353D52B535B,SHA256=0163646D266F4D01F892E79DF9492773F5159C480840A2F9C94BB09DF362467D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027744Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:05.818{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000027743Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.451{FFF7FB96-1D43-6136-A806-00000000F101}9883228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027742Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D43-6136-A806-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027741Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027740Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027739Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027738Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027737Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027736Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027735Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027734Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027733Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027732Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1D43-6136-A806-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027731Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.264{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D43-6136-A806-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027730Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.265{FFF7FB96-1D43-6136-A806-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027729Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:07.217{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB9903966317F567D247262CC7672FE2,SHA256=1BD80A6EF15F4B03E9F3B2D869FC366CED9C076E0B4D9A11D47D4D2B3D233E5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046546Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.399{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046545Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.399{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046544Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:07.399{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027775Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.905{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC0E42C5F518366DE0DC17F9AD92B52,SHA256=B8D102EBCF666431B8306E40A9331FFBC104C148798FCFEB7EBE5C3C21D35423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046570Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.897{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B12E48C82CB8036DF3FE2F20BE69E7D,SHA256=E23845D5D41E128B3C6A57FB6AB23B880328F86659755EF28437CB1E19E60F75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046569Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:06.837{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51815-false10.0.1.12-8000- 354300x800000000000000046568Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.318{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51814-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000046567Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:05.317{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51814-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000046566Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.729{323FE7D8-1D44-6136-3009-00000000F001}65285908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046565Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.565{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D44-6136-3009-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046564Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046563Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046562Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046561Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046560Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.562{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1D44-6136-3009-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046559Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.562{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D44-6136-3009-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046558Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.561{323FE7D8-1D44-6136-3009-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046557Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.513{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8229DE7E4DC6B150F8C5E643F11D8874,SHA256=6C2AE4CBC86D3B851E09BA96E92127135793389B296830891AA9D5FBFF172961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046556Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:08.045{323FE7D8-1D43-6136-2F09-00000000F001}17322892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027774Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.701{FFF7FB96-1D44-6136-AA06-00000000F101}35403028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027773Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D44-6136-AA06-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027772Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027771Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027770Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027769Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027768Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027767Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027766Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027765Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027764Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027763Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1D44-6136-AA06-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027762Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.545{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D44-6136-AA06-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027761Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.546{FFF7FB96-1D44-6136-AA06-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027760Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.498{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=394EFDCBDB1CF318346D8D5F76F31C1B,SHA256=53EF0E6F4AFBE6630C82EBA5310AC0166F669B11F992B814BEF89966BC0B72A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027759Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:08.092{FFF7FB96-1D43-6136-A906-00000000F101}377292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027790Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.936{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158AC0A58760267651D6F164E704A6A8,SHA256=16695729459070B11982D62C222ECB02FA090F0855CA5CEF166617986868EA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046588Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.912{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D45-6136-3209-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046587Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.912{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046586Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.912{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046585Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.912{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046584Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.912{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046583Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.912{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1D45-6136-3209-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046582Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.912{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D45-6136-3209-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046581Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.913{323FE7D8-1D45-6136-3209-00000000F001}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046580Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.528{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AC5F9DE06771DF210B61241F047B31,SHA256=6CDF64674F625FB9D7D0DFFE3B03E6BA8D9936F43B6ACD4DE83A1F89CE9717B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027789Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.592{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=228452F6F212F9EF9D36EBFA0CA5DB4E,SHA256=74217A3D5FA32C41B6959403B8672E5AD63515A9FE608217769B591908514465,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027788Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D45-6136-AB06-00000000F101}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027787Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027786Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027785Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027784Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027783Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027782Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027781Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027780Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027779Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027778Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1D45-6136-AB06-00000000F101}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027777Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.217{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D45-6136-AB06-00000000F101}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027776Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.218{FFF7FB96-1D45-6136-AB06-00000000F101}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046579Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.397{323FE7D8-1D45-6136-3109-00000000F001}43686428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046578Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.228{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D45-6136-3109-00000000F001}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046577Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.228{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046576Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.228{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046575Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.228{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046574Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.228{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046573Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.228{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1D45-6136-3109-00000000F001}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046572Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.228{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D45-6136-3109-00000000F001}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046571Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:09.229{323FE7D8-1D45-6136-3109-00000000F001}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027791Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:10.951{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDE17E9243CEB168C4BF3CE2334777A,SHA256=AE98F3483C05920BD7C9D4568F9EB20CD2488C8E7CF9B853A5E88DFBC09AFA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046590Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:10.564{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7D47D0F9ECD2BD9B1D1B381898528B,SHA256=4BD6DDB5DD69897C7F9D74D58B0B60DCCA1AF23CE7A9F33083A5BC56FF8A939B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046589Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:10.243{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F828AB90F253BDC664214942DD74D19B,SHA256=DF7738A2F7654A59EE124BE9C7338714F4AC2470D79B2222BCC94B4B914B9026,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027793Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:09.115{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027792Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:11.951{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7674F1E102971631D5A558E986A6BCEA,SHA256=BE6500636E965CC3A025FB2DD9E48AC7563E8EF9B40A70392A6B116F5E8E9DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046591Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:11.580{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549A11150863215C2AB69A3C96BFA52D,SHA256=E8AD2CC273B21DE20BE2113E5B231544BC86C224A9E1945388714A79EE74C72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046592Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:12.595{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E78A27D0E712FD8E4B274A84DFE1E1,SHA256=1AEC12FA87EC6ED470A04BB4E488616B335B8F6A6C12FE4BCB59321E27550C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046593Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:13.610{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3E941B2A5474D90FAE9CAF358295F4,SHA256=377D29BB6693BB692D35090FE931C471D176CD0EEFF5536502D990FA2EFF4159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027794Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:13.030{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6A13341D505D87807118D55338AB1E,SHA256=662A0C70881847140834B1B481D1CA4BBDB808EBCD7837BB2D6824BC8E2B3108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046594Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:14.625{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E299FC705B03FF0A4060325C90C25C73,SHA256=17441F194EF3C496489190D16E133F07762B1BC7C85BBFD7D78B0D3E4DB5C33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027795Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:14.076{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD246B68E3688981E8D2136799FD2C5B,SHA256=1F1E854821AD1B11C7EA443D1DFB49B6C58293920975F5DF64B9CE9412A36280,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046596Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:12.771{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51816-false10.0.1.12-8000- 23542300x800000000000000046595Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:15.640{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8599B36412FE36C69CB0EF5D9529F93E,SHA256=15B125021F8B7929918480FE53E8C9E57555EBDE07F2E7AC816E663270CCA19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027796Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:15.108{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFE7A03A6353D4056137531C572D2C6,SHA256=62F2B4F0FC03B0B151071FC5F674CC68838916AE3C777FD1D561DD53257A315E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046597Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:16.661{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24ACC2DF3B4AAFBDC799EBA24CEEC88,SHA256=860066A5A564AC2BBEA62DB0519617762395F254CA9668BB3E22A60B254D06B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027797Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:16.123{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73321B030C9BBDD2010D4772A4749643,SHA256=7A69C88800306BAE67A934B24FB6982A03D3F2724FEF6EB70076429008EB26F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046598Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:17.677{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED01C0DDEEEB2F6DB0A1C5E63B9A708,SHA256=842D23116434018B4A873619BAB00613457DFEAC1C047B289E29CBF60877E590,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027799Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:15.114{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027798Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:17.123{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4822460E8AAB627E0ABD261EBB198DE7,SHA256=91D9EE5CE00C8D5FE2CB058D9DEEB388710749380B97EA656FE6EFBA93890B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046602Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:18.692{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6E4B22A2000BCE9CEDAE89D523CC0E,SHA256=65000833122997E3088FB0E5E4E759D364B3FAFD7C5ED5F236F7FC3C6CE2BB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027800Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:18.139{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51235F99D9B72E5B7A7294EAC030E3E6,SHA256=2DEA9A684C06350818E90CF79E715AD2A2CA05763113B59091C3E3DC2B2028AC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046601Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:53:18.308{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000046600Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:53:18.292{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Config SourceDWORD (0x00000001) 13241300x800000000000000046599Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:53:18.292{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CED8D70C-FDB7-4280-B713-3A56B1B8A289.XML 354300x800000000000000046611Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:17.917{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51819-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000046610Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:17.917{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51819-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000046609Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:17.910{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51818-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000046608Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:17.910{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51818-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000046607Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:17.885{323FE7D8-022E-6136-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51817-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000046606Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:17.885{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51817-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 23542300x800000000000000046605Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:19.707{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C37317330F36EFA14412D61E9F0966,SHA256=E79FBE90A127FA4C8273FB0C95EFEA6AE5ACCC53515B376174AB87A5CBA1D723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027801Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:19.155{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633A6D9146AF191710BE58DF22CFDED3,SHA256=0A9590CDF356FDE2475A0C2BB80B5D0A45625872AFDB431EFD749B73C74C60AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046604Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:19.359{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FF7BDA352AC9A65EE1DFEC365840E28,SHA256=16DD747D776264AC9966FE3F2312CDB2C2428F6DBEB5BB9D7E4AB0F26A5F5F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046603Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:19.358{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1FDE2C260BEE19D4928B63FB0D35662,SHA256=1D1A83E00ADB4752401E314804DE91A181864DF6B7A268404B49C9A1E4287AE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046613Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:18.730{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51820-false10.0.1.12-8000- 23542300x800000000000000046612Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:20.708{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2D9FFB86F10E5DFF8706ABF00CB618,SHA256=FAFF4175F6C58CA8CA9137EEF3D8EE21288036DECEFA0E2787783D2F11079266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027802Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:20.168{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69420A661BA3DAD90B7442651E7352C,SHA256=E4E0190DC9F8F6B704437EBE218F7C1900C5C50F47C39C359DC266B2001B830C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046614Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:21.739{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D88C574A5DDA6AF90D9836A58BDD3B7,SHA256=FCF19E32B4B013DE0114B7D4CC5C662F1A7419F3B315F36E2252B4C3424A9E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027803Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:21.184{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F0E5129899D28C3217E6151FB07208,SHA256=769C27F671558D49FBBE917861AB4D4DEDEE23061CEC161D6AFC6D198E004E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046615Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:22.742{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B99EF299E2D61A9EDBD4614F1EB283,SHA256=5167F42CAE743AE479F10337C11D7AE1E9EA5FB125662D9AC13B0D7724E6E348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027804Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:22.215{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C008B47FD8609FE5272D991A041B0D,SHA256=0416794A4D531611081FD7EBBEC1DE6BB250F64BA6D3D086159773B1206D608E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046616Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:23.759{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EC54C3DED8FF276E4FC7F429F22FBD,SHA256=410396CD6C70CB2D5B1443ECDE0C8E18ED7D2BB7BD77911D2F006B319B341EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027806Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:23.293{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771E1EFEDCFC4B95C3AD33170A55DF9B,SHA256=FE60A48D56EF4E3683B8A03512ED155F46D6BEBC4025B83A33D7BF0E9B42891D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027805Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:21.112{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51046-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046617Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:24.762{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A77B5418732EAA4F4E8CED2ABA7585F,SHA256=043D58466867EE74A5690438914A3EAB10FD01EA1FAFD115C54F9B423C8CEE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027807Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:24.356{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6800C0C886B3C04C844BA96A741AE1BF,SHA256=08BBB0EBE1F9777AE0240EE3B8B7246529C5F24C28CEE3207C2FBD44EEF8A459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046618Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:25.777{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2241AC85B45C719EBB2522F0738BC5C5,SHA256=5E584E1BA1C496C052E00A2204CAE266E2283BB9DB0C05C68DB7313F1216D48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027808Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:25.371{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867576019639139512E92AAB7E1DCDB6,SHA256=BAAD33C6B34DFD66334E6BA5FA74B92CF93184E72C0E59FD1D56A8DC8E125668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046620Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:26.807{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F324FF00201E36FFC97476A29C8FDE67,SHA256=02530157C123D9CCB2FA610FABA9880F3C691BC188AA8745406F744687A1EE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027809Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:26.371{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6627C742C1254F73AA4E52D7213039DE,SHA256=A1F0D6DC26C1D1006A8913445F1E905C9DEF2BB1A0F4C72AEE3189138770B7B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046619Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:23.770{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51821-false10.0.1.12-8000- 23542300x800000000000000046621Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:27.822{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F96AE89CABC3C630FA9BA5BA42AD4E,SHA256=12985F0A68C593F9C13FBE391D3E7BFD49CCE05EF1056339049F84877D6DD650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027810Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:27.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAC4B3007D540DD2176EB223B80E00F,SHA256=D01C8B1DAACCB98ABA143FF81F9AFD57D32484A9BF0D58CF78CD3EDC264FF479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046622Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:28.837{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD421A2B12F6AB6983A3B299C24D679,SHA256=34B41B4D00C040956DF030D4C8B85B6E67FFEEC90AFCE3382D331935ED6C8DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027811Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:28.403{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801337449E57EB4F4C48252B57D221FC,SHA256=EA2E50AA43FBB4406909BC9B9AE5F848F1D41F15D2342FFC7A3D99C1040BF11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046623Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:29.855{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CCE40742E8E082467F82D37C4A836A,SHA256=F177DDDAEFCF647C002DFF1EFDED8303291E388E26800EFBC07EEFEB587DE539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027813Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:29.418{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB99B8B347C3CC9EAB9CA451EDB6138,SHA256=024483BDE36EB073E2989EE8A3AE43C116400F331E3D2D63525598C2EDAF023A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027812Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:26.956{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046625Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:30.858{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451E69A4543842E56389A5B8EE1BC2ED,SHA256=B32C6384FA193F15825BC569258617E94937A02904E66BE9A5ACF9368E8E1BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027814Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:30.434{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05BDF49887ECA6EE264F386C63C003B0,SHA256=44C07279DDCB177EE0E3FCEF147B9BAE119AE2771ABE9975469C10465B36413D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046624Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:30.521{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046629Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:31.873{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8975C29680D7FA7D02E089C637B42F,SHA256=0ED5A6F31CA81CEC92AE6ADEDC57BF66BD16F901C140889D14488ECAD1BB3453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027815Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:31.434{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E461F3F767BC5B4BADFA799F94318A9,SHA256=5171F9ABBD23C8F73C13634E97EDC3B248278F993989A53FBED3877F9195383F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046628Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:31.304{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=21288E2532956D491782B1EA7254F48E,SHA256=75EC82DE61DA1CB6CB9EE4EDE1385696E63CF64BA624A012BEB5D6164530D43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046627Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:31.304{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=AB4CE02F93670707D18D0FED33E8E8CF,SHA256=D8D91A3172969ADE915D7587412A849657A1CB52136B3916350428E4920E6199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046626Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:31.304{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=00F55A59F0A00A14AE424D10D5D30970,SHA256=80FA65B319E4B8B3400150125F14D332ECF97CEB9EB52FD6B84378CD7872B937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046632Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:32.888{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5201DDC6B1C098A5DAD167F4767C7C,SHA256=3091657718C24F6B0EC52598E8C21F6173FFB72ECFC650994ADDE7C2FFCFBC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027816Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:32.465{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E584FA1F22A62743440DA132E85D29,SHA256=2327F0801884785436E6AFC5CDE57E61E68C753A5E05C3F8D47814A464F584D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046631Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:30.096{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51823-false10.0.1.12-8089- 354300x800000000000000046630Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:29.765{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51822-false10.0.1.12-8000- 23542300x800000000000000046633Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:33.903{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E7A28C5E25A0A232901D184FE30452,SHA256=351D33A783152B7C2B0549C2AA924B917501DA764163CFA49D846B6318338A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027818Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:33.890{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-104MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027817Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:33.498{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8743DF8F40C8144B92DD30C9A2C457B9,SHA256=D82875B505D7D321F3A715DB36A4E233E99E575A103D2C5FCA8D9BC05D521408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046634Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:34.904{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AD6FFA26760A3500ABED0B853C10BD,SHA256=A1BF380AB9D1DDA4DCD46B3DCCFEA5E080A16BB9EDA4DE01607A8B5B2F7DA798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027821Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:34.904{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027820Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:34.544{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C392778747706BF82948CB28F981E6,SHA256=D752E2F120D7BEC3E45D7C884F6361BA91AEC8866CAF40C10BFD0FC461E6B4F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027819Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:32.941{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046635Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:35.934{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB1AE5FAD22A2B9FF05C9C01BC24F86,SHA256=3113AB944ECBA97C77A747AF7D2A339BD253B3E6AFF5F79C416F4D55065EAE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027822Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:35.545{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB5BECA00C14F5230B0A816CE071AAE,SHA256=706DEE9088833723806EFBD5E4C62A31E8FEF9921DB803DDCF38F77942BF5FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046637Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:36.971{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2FB842F41523213FB2C67D9F1D06E1,SHA256=C027FA3805C9B1BE21787169B7153DFFAC3D7EB16395FD50674CCBA6ECC0E44D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027823Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:36.560{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2F49DA472515CCF0436818D3D79C23,SHA256=FEA78080B955773139B2B756AB8AAECC06A140250233DA48839A8BEF89540615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046636Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:36.334{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=15D105F39D5425FB9A9ADBD708C50381,SHA256=3597F89CC0C946E7E096230FBBFE242F0642A3F236C973956D2C5595C8CD9BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046639Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:37.986{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7494EC9618A6B81C661D3F2AEFD30259,SHA256=06C53865817059383C3054C197B33D4B43E7F82975F59BA97F2A5FA674CC31E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027824Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:37.607{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C71030A2A3FF917C545DC234D37A8C,SHA256=A2FCE815F945C0A2D193C3BCAE881BC481AD17F476F4858F4C7F0FF24AF05D94,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046638Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:35.726{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51824-false10.0.1.12-8000- 23542300x800000000000000027825Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:38.654{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980A8986D2E1D4507E12E8C7B69813D8,SHA256=A83E3AE61D365FAEA75F5633341D827DDE938380F501F8DB7688C5D7DAAB2E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027826Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:39.700{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7604BCAF586975CE13B4A0EAAF78BB,SHA256=308887FD414700BDCEC8C65EEA3DDEC904D91EB64AC6AFFE7293A48663BFD184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046640Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:39.001{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B5D8DDD6A5088DE18ADEE530D61F16,SHA256=BFB69A722E0D187490C8E82236DA4DB432795294C7C67AD6C8C180CD20DF236F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027828Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:40.731{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6898BAB78255AC858192124CE655F588,SHA256=8A258DAEC7AA0E52E55B2EF80273D9D68ADFD486556C079F33F4D5371C8F8EC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027827Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:38.942{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046641Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:40.032{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23B4DBBF90AB29BA984D22718580A23,SHA256=51FDDFD83C0BF8A9DCC0935FFE69113C283553ACB51E83FE39264EDCC4F54DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027829Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:41.747{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6F8D273717FD6A62439033C670A2D0,SHA256=B2F050C91A1AF904DCAC79B16D57AB3E712912D24C6D15F93F2528DA67B9A319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046679Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.149{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA57FC077258EC65B318B5D8C527BBB3,SHA256=408CAB35E41F0C71AC12B398C4C424FFF3EF0808852AD79FF7BA7D334840DDDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046678Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046677Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046676Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046675Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046674Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046673Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046672Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046671Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046670Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046669Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046668Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046667Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046666Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046665Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046664Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046663Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046662Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046661Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046660Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046659Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046658Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046657Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046656Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046655Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046654Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046653Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046652Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046651Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046650Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046649Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046648Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046647Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046646Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046645Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046644Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046643Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046642Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.016{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027830Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:42.747{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365F79EB5CE10D437F21689474FCD0F7,SHA256=CEE72BC461B48353F97C5A2DF28A6BE18480A24BD9ACA6349CD30A7E2BD0813B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046680Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:42.153{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCF25FB86FCE1CB6F80705CE7BE2CE4,SHA256=8B63D4CA776098F67C53F481F8BE57B344144370932BAF64F4652EE08CB90589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027831Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:43.762{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D12FFC9392BED20E816009771E5679F,SHA256=F46B3DD451E27CFD603B3A958DE3539ECC960E20A0EBA211DB2326485FD9433D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046682Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:41.676{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51825-false10.0.1.12-8000- 23542300x800000000000000046681Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:43.168{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92D4996E9D22D0474F164987C91EB1F,SHA256=84AD7C92A752CC42EBF3C57DDA627C85B788DAE743104EA0E72CF46088F03C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027832Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:44.778{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97A8C09940C132EBCDF873EE51D92DF,SHA256=C34D80BE67481A18F855D608A156035DD56126AA1F92C9069CFEEFDEF8815DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046683Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:44.199{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AB46B780FA01B423BB9A192E137E85,SHA256=74BB40A0E8757863A58731A5A56775F89FA00AB2076B2B037EA569D9124D165C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027833Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:45.809{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E8A8C00B19FF92B7CEC8774D1B86EE,SHA256=DCFD5E7E1AA9DEB1CC43860F04DCB3EEFB82F74A7B7AAF553E45191E971EDDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046685Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:45.617{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-112MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046684Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:45.214{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC312103D8CA9B935BAE2F432520404,SHA256=60C7FBD5881972535D684D79F345A78287C992185593ED4EF4EFE2DB0CCAFC05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027835Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:46.840{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0115F38863FACF228A26BAA596024EB,SHA256=8EE5F7C45956BF916C1A48F032806DD7CAE495F881CD7F66A6E2642701E288CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046687Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:46.630{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046686Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:46.229{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C98414A8D553E30D45117E7B3CFFBC7,SHA256=0B7DA7E365B42C62F4670873FBBC1B6904FAAA97486BF535A291D57FF45BF5FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027834Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:44.957{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027836Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:47.840{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58E73FA32C896F35C44C22B8B5F5350,SHA256=100BA515CFD553F27F0CD104996A601B8DC159A43D8C2442602882DF94CC1A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046688Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:47.247{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4D4C0DF10DC9E69F506F6A66BBC9E6,SHA256=BD7D82406661C48AC7571F721048F7D092CCE78412FD053DDC2F1FCAF89E09FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027837Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:48.856{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF036023383F7A135F24986108222F0,SHA256=074FD0331602B4A6918EF2FEFC11A30C07CFA1FB8A06E8892997625CD5C5753C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046690Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:46.772{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51826-false10.0.1.12-8000- 23542300x800000000000000046689Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:48.265{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98271FA0544BC2EDBE3E68FC81A78869,SHA256=FEE9AEA3251DDCCB6D61A9C691A4A2DF2C33D5802336B5152594F4C52031A2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027838Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:49.872{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3220EC9FB5427DEE5BFECFAD65374B58,SHA256=88AD374DD3E24E09CC70B1C363751D4C1CB07D225D45CAE436BC6B96AD090758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046691Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:49.296{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A582175BDB35B17EB50F7F61977C70,SHA256=5D817EF49B63F8886D71CF9AA5E69ABEC4B5F81D1D9C44BD77B48C8BCB8DC29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027839Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:50.872{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADEBC857C42DAFD553BD55C4C4A329B,SHA256=9DA346436DF57187CE3DE57BFCA60680D7E890D73DEC66290AD493E503EAC7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046692Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:50.326{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB26E0E53AD00A9C0D9951219B67E5F,SHA256=465E47BB7CF74770F44ED66D24754DC4121E778BED4BA1F2D46073CAF47681E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027842Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:51.887{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054A639CACDD1FC8AD31DAFF1505CD57,SHA256=C6FEC928944A40107BC6A098E623C41863766217EC82CA8FAFE7B2E0515DB19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046693Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:51.343{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD45F2B788131203A9EC9C697E836F92,SHA256=E2F50FB6C7AE62CF0789A03E645C471F17D2B049232A8DA0F0E924DCB33B03E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027841Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:51.684{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9243EB203E755A67DC755DC25E1A6CD4,SHA256=248ADB7082CE170BA352AF106EB10987CB73ACC65B6391019D40961B8B234C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027840Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:49.972{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027843Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:52.903{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADCEA2809B27525F232CE830AC2AEA2,SHA256=270B3470D358DBEB470299ADF25F1A10C3F21DC5383BA50F3054FFE06869E11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046694Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:52.353{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DCDAF6F76DE1D2909D989CCA6F8928,SHA256=72CB62A6E89965CA85709E5C8B3168B238A973D9A3D57DE7679D20ECB36519A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027844Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:53.918{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28C8CA9D83381C7AC21981666CB2565,SHA256=BE0B12FF4901A382865E977AF8700A2BFFE9C2487983DF94E90DB2CB9FAC2346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046695Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:53.388{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA90C51882E973E0BF9FBBAB5F28387,SHA256=387B854E1F14EAD8399D56993978861247D73E55EE438B1805151214A4B7BE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027845Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:54.918{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E4188F146DC0948B202F5F9ADAED0A,SHA256=C8D48437B94A8DFEAAFC441B343B9D934A6DC9C198868AF19501CCB93D91D845,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046697Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:52.746{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51827-false10.0.1.12-8000- 23542300x800000000000000046696Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:54.407{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305BB9C231988B9EB00349A1D8308AEC,SHA256=D897859CD7D48A5E0049F8667204232B50C911C0DC76B709C0AF9A1A34BC418F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027846Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:55.950{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB05EBA38BD6BC6F08708690B9DB530,SHA256=748C4EA5F9850DF57FFD076EA351D759D5A27D9272120C70C7184109B803D3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046698Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:55.422{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96C710B67521AC24B97336BD06FF38C,SHA256=60BD16D66E54EA8EEAFC3093F892CD63DFC795D80A3E92C757B6D7DDFB82BA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027847Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:56.965{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B09DC3DCF3C1D73DAB44572211F122,SHA256=1E18DA5481AD48E7F5E2AB587011D7CFB941C216D6C383A27C0414BC6A928B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046699Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:56.437{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84283234C47767192CCD69932A0383A,SHA256=C9D724876FFDF931A170FDDDAF89D00D9F9F5E5A243E268E76353988E85ACDE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027849Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:57.981{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F7F5B1A4382BF7215D98989AAB7470,SHA256=2B51DF41B087A405D4C1F54776AF97A51159F2394CEA8189494380B5AF1C18E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046700Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:57.454{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA880EA1724D52649CB577A8A645A25F,SHA256=6EFA844C6DD065337C14592D247C8B2D2210F58305686BA306CE160E5E04CB82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027848Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:54.988{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027850Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:58.996{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579E0C6AB183346814211048ADF72D06,SHA256=0A22FC91993ABE914AC4931751C0B49B0FEF8FD57C805AA76F7D2D44EEA36089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046701Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:58.473{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D74B3B742A717A7AB249C193E0B2C9E,SHA256=7E295358E05014A707D9B04D5BA16F08C9EEBBAF2BAB25406FDD4046EBB2C05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046702Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:59.489{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2620D4F1FA053AC033FC7BB4DA9223B,SHA256=7A4344DDB558B3A4255297329D4CEC555C9BD25BE9E516126C795DBF282623F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046703Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:00.504{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C037D2916B10C05F8F85C364C4905BB,SHA256=0E72671BAF29809532ADA86E471D4AE1EB923A0E708077B401B90AF430BD569B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027851Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:53:59.998{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DC7A3E611AF5B343ED1152C874AD58,SHA256=EEC8FF7958D30380C670F039163353DEE5F62FB9D168FF757D58570AD4642F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046705Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:01.518{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4FDAD4FCE1C0F98961E396CB5F9B7C,SHA256=C2096A1D26598A7D8A04611CC929D3B96516024890B9B81F3E665D2C14FB03EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027852Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:01.014{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213B6488EF1421F75399E712D880A2F4,SHA256=0CEF1833DE72F43E55311A7ED25639FAEB7082DC326C93DEBDE154A8351E0F4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046704Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:53:58.727{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51828-false10.0.1.12-8000- 23542300x800000000000000046706Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:02.519{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27591593EE171778ECD5E3BE77F06A2C,SHA256=23E295C33F7DBC168AE2B2518E3F80B74059171A5E567F32B4DCC4E853E9CB19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027854Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:00.959{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027853Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:02.014{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C3A8784C29AD34D0663D8B8FF6D858,SHA256=2E9E1FD3ED22998BBBE626397F327C2C9E8A72BD5CD429DF2FE82B74EC0D8174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046707Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:03.552{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851F5D48CC7B383CC20ED5CBB6838B3E,SHA256=1A87FB146518236DD9F90344B63E5A772366C78B4CEC5859E76AA526FF6DD930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027855Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:03.045{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D87EAD3CD75B44A43E801457866C4C8,SHA256=F00176D45AF18CE95005DBF0F69DEDD170B8B72E13B9123D80F82D14FF5FB5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046716Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:04.602{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D146E63426EC45AB1726C880EFB9F247,SHA256=50C27195D4CA7C4AB893D471EE9D92663B9151C2698A11C0FD7224730B8C7C2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027869Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D7C-6136-AC06-00000000F101}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027868Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027867Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027866Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027865Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027864Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027863Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027862Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027861Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027860Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027859Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1D7C-6136-AC06-00000000F101}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027858Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.873{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D7C-6136-AC06-00000000F101}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027857Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.874{FFF7FB96-1D7C-6136-AC06-00000000F101}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027856Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:04.061{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0189ECB9C092ACC0458A150ABEE8ECB,SHA256=CBE19651E2037BF1F14A5CCB45C9C4D6EF912DC515F7D636975FFD38334CCC37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046715Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:04.470{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D7C-6136-3309-00000000F001}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046714Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:04.470{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046713Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:04.470{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046712Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:04.470{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046711Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:04.470{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046710Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:04.470{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1D7C-6136-3309-00000000F001}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046709Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:04.470{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D7C-6136-3309-00000000F001}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046708Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:04.472{323FE7D8-1D7C-6136-3309-00000000F001}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046736Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.807{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D7D-6136-3509-00000000F001}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046735Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046734Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046733Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046732Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.804{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046731Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.804{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1D7D-6136-3509-00000000F001}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046730Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.803{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D7D-6136-3509-00000000F001}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046729Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.803{323FE7D8-1D7D-6136-3509-00000000F001}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046728Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.655{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5462815768CC15DCC8A0B387EC891E5,SHA256=BD2A262BDCFF22A3B9B135DA46DEAF056AF82BF5853D7030845A60BEE7CBEAF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027898Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D7D-6136-AE06-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027897Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027896Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027895Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027894Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027893Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027892Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027891Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027890Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027889Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027888Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1D7D-6136-AE06-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027887Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.983{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D7D-6136-AE06-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027886Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.984{FFF7FB96-1D7D-6136-AE06-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027885Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.889{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5469C491E67B3B611CE51F0E69E895F6,SHA256=051A1DEFB46AEB01617FC802815838397145A749A9A1AFCAE85FEB9B0DAD7A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027884Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.889{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA1EEE107EB1BF9C0FCFCF0921510ED4,SHA256=6732D8C09F68041058187ECC6EFAB9FA428304FAE549302AA3766D01C9D8BA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027883Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D7D-6136-AD06-00000000F101}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027882Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027881Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027880Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027879Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027878Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027877Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027876Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027875Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027874Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027873Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1D7D-6136-AD06-00000000F101}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027872Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.393{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D7D-6136-AD06-00000000F101}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027871Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.394{FFF7FB96-1D7D-6136-AD06-00000000F101}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027870Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.108{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AE42D8F644999215B9E8B4A10C2A61,SHA256=EE3256CAAB0BEFBBED4D451E4FB88409A2F797AD264B56E6BF04F636A3A81CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046727Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.486{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF6A5021638A2043369274AF5AE330F2,SHA256=3A09F02769DF87706F388DF726F4406B4C65B7E5DEBA134F227F4CF40B6DF2A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046726Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.486{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FF7BDA352AC9A65EE1DFEC365840E28,SHA256=16DD747D776264AC9966FE3F2312CDB2C2428F6DBEB5BB9D7E4AB0F26A5F5F78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046725Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.354{323FE7D8-1D7D-6136-3409-00000000F001}7085816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046724Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.137{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D7D-6136-3409-00000000F001}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046723Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.137{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046722Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.137{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046721Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.137{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046720Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.137{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046719Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.137{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1D7D-6136-3409-00000000F001}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046718Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.137{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D7D-6136-3409-00000000F001}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046717Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.138{323FE7D8-1D7D-6136-3409-00000000F001}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046741Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.331{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51830-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000046740Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:05.331{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51830-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000046739Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:04.774{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51829-false10.0.1.12-8000- 23542300x800000000000000046738Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:06.755{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF6A5021638A2043369274AF5AE330F2,SHA256=3A09F02769DF87706F388DF726F4406B4C65B7E5DEBA134F227F4CF40B6DF2A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046737Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:06.655{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E8D6A6001845F2B7C5C38E5D136D33,SHA256=5D22B3A4251E62DD619E91EE5703CD9226E6F993127947C4C69B795C3AD387B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027901Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:06.155{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7855D5ABB8EBCAFEC17A6C2694221C3D,SHA256=0F26406B49CE1F4384B5114DC9A66E0C1688FC8F3A966B99CFBFA9B8613580FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027900Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:06.139{FFF7FB96-1D7D-6136-AE06-00000000F101}1876904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027899Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.998{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046750Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:07.885{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D7F-6136-3609-00000000F001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046749Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:07.885{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046748Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:07.885{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046747Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:07.885{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046746Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:07.885{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046745Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:07.885{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1D7F-6136-3609-00000000F001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046744Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:07.885{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D7F-6136-3609-00000000F001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046743Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:07.886{323FE7D8-1D7F-6136-3609-00000000F001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046742Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:07.670{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6A160FF875E6709F8D79F9D3300DA3,SHA256=297C84B1EB5FFBD8E7B7BE08BA52A1FF979C7997E20974DEBA15A65C54B95A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027930Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D7F-6136-B006-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027929Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027928Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027927Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027926Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027925Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027924Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027923Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027922Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027921Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027920Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1D7F-6136-B006-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027919Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D7F-6136-B006-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027918Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.952{FFF7FB96-1D7F-6136-B006-00000000F101}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027917Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.420{FFF7FB96-1D7F-6136-AF06-00000000F101}23842608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027916Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D7F-6136-AF06-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027915Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027914Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027913Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027912Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027911Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027910Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027909Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027908Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027907Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027906Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1D7F-6136-AF06-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027905Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D7F-6136-AF06-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027904Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.280{FFF7FB96-1D7F-6136-AF06-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027903Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:07.139{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E20D5CB3EE2EF320EDFF3EF9EB577E,SHA256=8343426D377F997002E57D95C0E0D991235D102E1905032AD7B16DB6915E1957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027902Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:06.998{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5469C491E67B3B611CE51F0E69E895F6,SHA256=051A1DEFB46AEB01617FC802815838397145A749A9A1AFCAE85FEB9B0DAD7A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046762Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.904{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB516C3565DACBC65B830F64AC70A6C3,SHA256=5AB621236A64139E71CB39117DB7624111106D4CC1A7CC7A2B283AE2D9BFB382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046761Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.823{323FE7D8-1D80-6136-3709-00000000F001}49526312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046760Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.685{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612E4B2C3378AD542EC4669D021BBAA3,SHA256=AD2AC62012DF9BB1362B357A894BB088F8675107A541AB6A1EB4C8B8825F2B58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027948Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D80-6136-B106-00000000F101}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027947Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027946Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027945Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027944Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027943Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027942Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027941Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027940Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027939Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027938Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1D80-6136-B106-00000000F101}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027937Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D80-6136-B106-00000000F101}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027936Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.577{FFF7FB96-1D80-6136-B106-00000000F101}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027935Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.530{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F68E4D7C606633F36BE6DE44843601EC,SHA256=1FF1693E8368931B8E0851F8781C74090F057A837ACF5E7568AB0D160616CCB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027934Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.436{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F97AC157A2D8384998C3C7F7AFEF50,SHA256=FBA489DA7B5E7A15053A78DEA62D60B50A5CE0AC3C35478C76D560B7C78EDBD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027933Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:06.021{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000027932Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:05.834{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000046759Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.554{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D80-6136-3709-00000000F001}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046758Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.554{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046757Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.554{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046756Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.554{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046755Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.554{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046754Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.554{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1D80-6136-3709-00000000F001}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046753Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.554{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D80-6136-3709-00000000F001}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046752Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.555{323FE7D8-1D80-6136-3709-00000000F001}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046751Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:08.170{323FE7D8-1D7F-6136-3609-00000000F001}24646380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027931Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:08.123{FFF7FB96-1D7F-6136-B006-00000000F101}37682428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046780Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.884{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D81-6136-3909-00000000F001}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046779Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.884{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046778Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.884{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046777Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.884{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046776Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.884{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046775Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.884{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1D81-6136-3909-00000000F001}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046774Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.884{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D81-6136-3909-00000000F001}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046773Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.885{323FE7D8-1D81-6136-3909-00000000F001}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046772Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.706{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A277DC57BC592FFF4DCB114279531B42,SHA256=3E6654017579EC0816288A24BBE076D95F0F4A973A9BF48C52E6A5761A7E5A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027964Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.623{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49B4DC0888E53A7B722DBA1430CF9DEA,SHA256=5E9F77C6D2AB2A750F77FF9C0C1172351911834F04E1BAA627323B3209094EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027963Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.405{FFF7FB96-1D81-6136-B206-00000000F101}2328784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027962Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1D81-6136-B206-00000000F101}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027961Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027960Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027959Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027958Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027957Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027956Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027955Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027954Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027953Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027952Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1D81-6136-B206-00000000F101}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027951Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.248{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1D81-6136-B206-00000000F101}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027950Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.249{FFF7FB96-1D81-6136-B206-00000000F101}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027949Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:09.233{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C700BDD1A869CD3238EAB300AC05B2F,SHA256=B9319CEE96959F4BFEC9272DD71425757176D5EDD16323563CEB86E10423F390,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046771Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.407{323FE7D8-1D81-6136-3809-00000000F001}34922408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046770Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.223{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1D81-6136-3809-00000000F001}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046769Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.223{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046768Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.223{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046767Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.223{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046766Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.223{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046765Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.223{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1D81-6136-3809-00000000F001}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046764Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.223{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1D81-6136-3809-00000000F001}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046763Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:09.223{323FE7D8-1D81-6136-3809-00000000F001}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046782Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:10.721{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAAF5CCF28938FE65DBA333CC75DFC8,SHA256=332B0DA86388763C94610C4439C0E6E2965E5D13A2D850D420AF3BFCD143BDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027965Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:10.248{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536A5348A72FD0F512483B0902BBC7D,SHA256=1A7B63204468125BEA8558C168695ABA4C2F012C89D4448EF88318342D781602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046781Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:10.237{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2512FB7C60571B44618F5343DF14A4E5,SHA256=2E00BC94D8261E7FC427F9A0653A1B73060BBE08A789D8480E3A9858A83AC151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046783Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:11.737{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B48F6635612F90DD9A6B3E3DF8CF8E,SHA256=948A3C5212669BAA2746F79C58B9A0B398F4E6F35DCFDAA3ED2D5054705BCD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027966Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:11.295{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0B4F41A3BC9CC149867F1EF0C57FC0,SHA256=3E911DFF6E160FB3311C5128E6EA8BE656B6047FCA0F92EF151D66DB8740F3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046784Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:12.752{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2714F36D0908B592FC66DF3E5B349D,SHA256=31BAC05AC6111B3DE0B545A89E6D687462344EE51E1B2722DB0096F01E8CB74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027967Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:12.311{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3752BF1D86800091686B96C142B56B,SHA256=31996028BDD58103C2F758A12B05700513A732D17B2B1CB4E6FD6406CAF54332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046786Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:13.767{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FFB0C92C553E5065C7E2128FDDA81D,SHA256=A2DBF556AB1DDD5D7089806AD413B6D9F33E0C6B22DD3E68E2B10F8FC2631C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027968Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:13.311{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E29040D41D8AC631B2324CA808DD68C,SHA256=C44EE965619C31B11391A5B839C62BC8BB8B4085AC10B9E05F354321F97F0596,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046785Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:10.776{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51831-false10.0.1.12-8000- 23542300x800000000000000046787Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:14.819{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE3A2E090CAB87A7D3BE43E93ABB0AF,SHA256=4EEB764880F35FDD4180CB43F9D0C265D544FA43290509CFD8D3DD2BE2B7C666,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027970Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:11.960{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027969Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:14.326{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EBDDFF0C44905394C5E0DFC7A21BB4,SHA256=346AE404EA89D54DA17E0566DAB55CE72CCDB042715FCDBF772D53928866907F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046788Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:15.819{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAC09568C3636B74ED8CD0453EB727B,SHA256=548E1B136648BFA1E560FAB4AF588E45694A00875F18CBF5DE01EE063382C0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027971Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:15.326{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D9F587DBDD1898976CCE903C6B8086,SHA256=6DA7474C05E7DD628086A099951DA35F028DA9DA9D380E128478222775528C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046789Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:16.835{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB5BB63705169D45A1B1D20D6E82ADF,SHA256=0BE8894C11138ECF26F18ABD46337EBB2B35C2F06597B01D71FED29B16EB2E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027972Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:16.342{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB504B3BFAAF82444FDEC7B3B60B79DD,SHA256=32E6322A4498E13099DE753F3E6BE454444FD1E9FDEF4257A4BD91E5E26EB179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046790Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:17.865{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDB14E802F7526881E29980F6778882,SHA256=98A484E26AF4C656637D993810B36A71CE02B4D341572846980C7B1725CE6B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027973Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:17.342{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA3ADB04CD18DAF0832A348CDF29359,SHA256=F0DE439A8EA998004553F0FEAA866334CDEFD5683E7DAC3499A1807C701246C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046792Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:18.865{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5441EDDDB17A12F925D3DEFEC9B5BCA1,SHA256=F1D1313A01E2A31435F3EB5FFEB73AACCFF3586E2FAFE9327C358BBF44DC85C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027974Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:18.389{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8CE4F300F543D84F2E9782DCC2BAC1,SHA256=C1D53E2DBE7E60D0224F5AC50FBEF8C26758081A2E8CA9C9899ABD1912B3D596,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046791Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:15.842{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51832-false10.0.1.12-8000- 23542300x800000000000000046805Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.880{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEB6FB1D4B21AE01A8EAA0AB57C1788,SHA256=FB6D5582C96BF22419A211E05405FA77755D5D060DE6E4DE20A66A48C87456E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027976Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:19.403{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FB3395F302831271020769B76602E5,SHA256=270FAB52BD9A48C480598623C6E4E515A8D0B8E5C3D263A03D522E27CA0155EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046804Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.780{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=E1C4FF64149FFD13BCC5ECE59DCD0001,SHA256=2054BF4C6AE1BF54277287B0FC77139145C35AC38A38338915B4D166DE7C9886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046803Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.780{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=CA60EBB5D194598C4CC37BE010FFAD70,SHA256=74E7AF3E006CD1419C627FA6CA0996C15FB4A2081C47743049242936A6B99186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046802Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.780{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=607F2AAB0906B13D6A6DDECCE881FA7C,SHA256=6F046EBEA415F827F82B358C08359E176AC175377C527599359C5E399D90B951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046801Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.765{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=1B6726778254E70E36A454A219D19AC9,SHA256=B9D1501751820D98140122BC413AD62544095D1387686BA84FCEAF1D5AF1B1D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046800Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.765{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\aborted-session-pingMD5=D309E0434C33ADFC61F3F0321CFD5771,SHA256=1B3296F68BA0D977298F0FB47723B4B5804A9A738F4F468CC890CD1BA0C9C8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046799Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.765{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=136B7B348DA9CB414F1CD7CDE7894652,SHA256=FF4225FC2C9F549625F5D636E035C895749685B12CDE3745323DE622A8C7830D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046798Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.765{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=CDAB949B803A79D80ACAB443578DD4C0,SHA256=22CC4630FF3844ABF616C6DEEEB2B45593B99A24E98B15DEC231B4D6CC24B7E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046797Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.749{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=68208F0CC37C661BADE5A1298360AFDD,SHA256=CBFC295A4C0073D5116DC7BC0FDEB845634FB11EE2FEED3B7C4D3E0FD4E40B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046796Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.749{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=AA7634A3880723C5CDD5636DF8F852BE,SHA256=740EA3B4DDAC397CB2473152DD5896D1320C06726E241CCE11432EF40F1EAC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046795Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.749{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=2C0E4ADD48DA59E9218EFA1432C849E8,SHA256=A9EB3FBF2CB5CE90A6F507F2909CB7AB166FEE3122FCF91D7BDF932D5AD1BFEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046794Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.349{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\SiteSecurityServiceState.txt2021-09-06 12:19:19.165 23542300x800000000000000046793Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.349{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\SiteSecurityServiceState.txtMD5=B07B453273389C2736558DE46DB82637,SHA256=E2BA866B53195D97D8F5C6CD0201243A9A8DDD7BC11210FC390BF57C9AE6C119,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027975Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:17.068{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046807Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:20.901{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662EC185F85461C26E2E76D3897229E6,SHA256=5CE8F5C3E12815939E708783289D24624D4379A774EAEDA8D1A2F93BC382A4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027977Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:20.403{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68263B2A42816AC43ED362B606AD1AF9,SHA256=EEBA4CA45822390F6D2B2BEB4609ECC8EAFAA066B022A3D7E8C36505613F841C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046806Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:20.302{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\pending_pings\121eb352-f13f-421f-abff-db519fbed4a1MD5=38021950629544CE611C3E289D4241A2,SHA256=961C55E1729C0CFDC7EBD7660F670865DEC60C28D3A78306BD321BE77F485F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046814Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:21.917{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F122AF0E4F88D3BB24E4096337D4E6C8,SHA256=E7C9D77521BB6B8ADCE1B87DBF82EAD50B09FBA1ED334A1885DAD4B0553EA13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027978Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:21.435{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7699CB763CC3FEC5E3BACAB510F70E76,SHA256=879B5B409EE59E80D497EE7DB673F2A164D62730112886F677EEB7D0D7DB2AD2,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000046813Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.389{323FE7D8-0617-6136-F403-00000000F001}4476pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com052.13.236.190;34.208.57.189;35.164.22.70;44.225.87.131;52.88.2.59;35.167.137.152;54.190.205.249;52.12.55.135;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000046812Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:21.201{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046811Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:21.201{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046810Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:21.201{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046809Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:21.201{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046808Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:21.201{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046818Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:22.932{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762959E57B406EAAA844B1A7C6ABD96E,SHA256=ADED97BB21119AA21630545EDB4FC90FB8E4AAF94D87252096FC8929513DBDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027979Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:22.528{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F2B29F1DE030E5713301E5CD00DCBE,SHA256=F66890E88210AEEE9886839F1FEE5B2687EFC7559157C8E92E45265945596C9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046817Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.522{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-456.attackrange.local51833-false52.12.55.135ec2-52-12-55-135.us-west-2.compute.amazonaws.com443https 354300x800000000000000046816Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.383{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local50402- 354300x800000000000000046815Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:19.382{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53514- 23542300x800000000000000046820Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:23.947{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6D8F5B69CDEE930E3239756FAFC503,SHA256=31A7F129E59BF0D00BF784476E78080EED833794D07F21F7BA7789F6F6A812D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027980Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:23.543{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBA9B1B5C63AFAEEA0654EBF6570161,SHA256=489EC3A8169CCE52B8CCFE4201BD5A405434D837705ED20BE76BD919D09D5BBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046819Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:21.624{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51834-false10.0.1.12-8000- 23542300x800000000000000046821Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:24.962{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8082A775089EC298C6709B52E96797,SHA256=3AB4B068910BE7D28829457DC2E745CFF39D77668CF05BFF6FE0F54D21107025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027981Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:24.559{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2168888F322940AD0D00832B210DDF9,SHA256=D96E20AF766A7800C7577E1A9CFCF1D74826CE7DBFACA0FC969100148CB59997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046822Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:25.977{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDFD317659921215B5258DA3B3FC8BE,SHA256=28363DF592AAF6134CD8611C9B3291CDD909A266F8F555CAFC02FA50BF279F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027983Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:25.575{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1354A6B074942577B76BFE79D0A90E61,SHA256=30C7A9FD398E817245B8107C16361B9F99A8AB1E81E1E375D8F79805B00C7FA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027982Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:23.066{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046823Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:26.994{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC7FF5DF204144F6EA43AE1C621370B,SHA256=61A204118FDA40A41F4D73498FF99EB18BEA6F56A93BC011C709FE34BF47EA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027984Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:26.575{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ACFF2A154811F12C8CFDFABB294D67D,SHA256=9B40F3B6B20D1C8C1AC283F551EBD302C4B9564C9FDE2F65AD5E6F24189A740C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027985Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:27.590{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A45C376D8FC4FA5D93CB7FE23ED490,SHA256=ADC02D578C9932B21D06D29155DAACD8DD448002078BFB74CD0D0DDE51953547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046832Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:27.613{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=AB5734502261F1FC5AED2F5B50833820,SHA256=02857AD2032EA01DF73E3D998628AF3F691B0D270D74420BBB020F621DFB63FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046831Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:27.613{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=359E1660DB5010571FE6085FC48A6948,SHA256=AE16ED1410994B96AFF1AC45355D23BDF88E174AA9FE75090D021CB33E77FFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046830Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:27.597{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=2ED6D69F869D80B11560AB839585E45B,SHA256=8CF94BC3E42ECCA0DEF2D25F65ED4B8595782418B1B2945B131DD6A4C336330D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046829Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:27.597{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=75E4F3AE6EDEB43687FB9C8787630CF1,SHA256=AE62AFE78F97CA56B1ED6A80232AEB962DD85EC3D9FE134CD173EE9965D39A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046828Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:27.597{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D5B16146D24900C37CEF2DFC1A55D25A,SHA256=C8251E4BFEB0247F037C1807C6FB3EA084A1E06A0D94793AD7D98746592F4652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046827Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:27.597{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=0BD06F68E3DD48931F685FD9DD0E8244,SHA256=54109CAA033604926D9C0605FCFC786E282F3069027DD8C414A0753511EC1A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046826Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:27.597{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=2B64055B0D21AEA77480099F98AADD1A,SHA256=5EC2FB8A799BBFDD502EEBF1764A24BC1444920045081941E7C70FCBE6671D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046825Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:27.595{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=A57F07A9AF71B2526BAD0CC4324DF64B,SHA256=DFF9D3B2ED0C5CA5BBFF56F32244C413E817761305FCEFEF38DE10AAD1D1D4CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046824Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:27.593{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=007A29D13A7AD22CA070E631ADDF0A76,SHA256=BD78AFA9D837DA75ADFF6D65D859D2AF63405FC16170C8927C9F9460DE4FB0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027986Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:28.590{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99FA42B928E877D19D036355F9DA3AA9,SHA256=7C70779D2D11FDA51A69DC87319C05F602661104EAE3F02D661851125B28DE08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046834Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:26.820{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51835-false10.0.1.12-8000- 23542300x800000000000000046833Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:28.028{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE89FA92FAE312A40A194C605D152558,SHA256=1D9FB4E5A8088EED8640C872835EEE4AA7B80E823C3A9602887D23C5237C68BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027987Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:29.621{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133C75A31D0044D1B188B19F6A2879DC,SHA256=28207DAC39F18221085DCC216D5B0EA7496435DF9E74B9A559525A3FBACF5D6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046835Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:29.043{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A954F9101B9C736AD092CA0E4B2BE94C,SHA256=6FEB905784023BE1B58C3B960C583B608E9EFA7E787FE02AFC4AE2B774A292E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027989Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:29.050{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027988Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:30.653{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD134FFFCC8D3995585FFD3D5011AC2,SHA256=224771D9713C72FB5F939E8820AA2EC180FDDD0FC850E2EDD017BF73C58A21FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046837Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:30.542{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046836Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:30.058{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F26B91C96BF1A43942FD8A6C046680,SHA256=9CDA7659405DAA57458E6888DDB7BFF5F2AA4A24DCF368B4C675F8E795303D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027990Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:31.684{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3ABE64940148733CE47E9E1089AF1AF,SHA256=FEDA4986AB92454243CFA0894EC7BD0F5981A99295DDE42307BA0AD0F5F93294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046838Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:31.073{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBAF13B238DD03BDC2EFBB5E07641D44,SHA256=F7C26FAAE9103FBB8B193E1F9CF7AF5E9AFCA110D0F7314F30F5F92EBCD7E75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027991Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:32.684{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09267359DD1FE1AEADB782F0FACBD8E,SHA256=8A0D17459D1EDE79FA691A9EDB7B1144E655A8C0EC8315664F6DFA74299DB7E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046842Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:30.118{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51836-false10.0.1.12-8089- 23542300x800000000000000046841Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:32.091{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485A8089486264F0E88D59A3FB34DAA3,SHA256=2C59AEC861B23DD510D04A3A452EA2ADBE365CC57B11CCED8795703DE9C97963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046840Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:32.010{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046839Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:32.010{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=2CA64A36051A9175C3A72BA256EBD3C0,SHA256=46CB277D86F3A256885B227B2AA49B1F4E81B1C456AFEFF0F864EFDAAB20D4D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027992Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:33.699{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F771749CE529DB78881D87F9B88ED57,SHA256=B5BBFFE95FF002FD003744E0E62ADA3BF1A90C780622817F8617282DA486C287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046843Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:33.111{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA28F255FA9D5A4CDEBA266C292678F,SHA256=AF73765157CAAE529FFCC2FEF1FA04CF3878DC8FBF49FE8930DD79D2C15D2880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027993Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:34.746{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4228EE5C6E40E5FC65C6FBDD89F2E21,SHA256=579D6D093DD398B5D9B76F0C72A8F95A63E62146F5BE69A00E3EA37997D2F22A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046845Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:32.665{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51837-false10.0.1.12-8000- 23542300x800000000000000046844Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:34.126{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F793B034CB69EE56D67F7B5A6D06A2A5,SHA256=FFAB57732E69DCA3CD9A010DD249065F12F0C7237DD449994AF97789A4296515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027995Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:35.755{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C39A38CB3FE860653DF427F352812D,SHA256=3FC658CAB6926453DDB96E473B85E0C1D3312E35CEC061E475E174653751BB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046846Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:35.142{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B803301F8EE7469CCEDA7C3A1948C1,SHA256=0AEF09E9E7DD80B88446B6128C054BE36EA73D65561E725403E9EF34CB75CD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027994Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:35.424{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-105MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027998Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:34.066{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027997Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:36.784{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75AFEB447F5AC0A131D1EE99D1E18FE,SHA256=050A82B64E1671CE310934BDF6C78ED35D703BFDA2DF6AF1F7EB20945404619F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046848Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:36.341{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7625399A2D14139D0A76E21F52755419,SHA256=FC2D1A9DC847CB8EC8581154429E592DBD0F1230C9DAF196A0832DA350A16E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046847Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:36.157{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7013A69E9F018C94CAEE8B5B4304A4,SHA256=0176A85785884185E4CD6522DD06903C808FB39BCDC2EC0E06C2C3312C33F996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027996Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:36.428{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027999Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:37.818{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FECFCDEFC8938285B24CAEAE45923AE6,SHA256=C87DCBF072B554BE9DADA81DD31BDE40B0403BF378124633C13BEED4D0085211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046849Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:37.190{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E8B379DAC53B138AA581C7465F1249,SHA256=4CAB90A912518BC309969D278E91602A0BEB451C606C1E32AA0BB4A9508F477D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028000Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:38.833{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6C37B6EE997697FFBD5C53CCFC77CE,SHA256=6293FEEA2B39E7B6B1C2D92F7FFFE9CB3C30F83614291CEAC8C8D5A3321873D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046850Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:38.224{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733742616B87C4912C5B4901AF4A2DF2,SHA256=8A2DABB0BC90E8507181ACC17D69D0429052456F619925EDAAA327E8F0513FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028001Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:39.845{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A3D2DCF975681063D595D3E8C78723,SHA256=B9D671A776F834413FAF319097BBE0FE28AAE7CAEFB187D563DE9842975C915E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046851Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:39.224{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E5CAA9AE020E866F196CB0F6EE5972,SHA256=291F847FFB24D888E84D913305F23E2ED201E572AAB9DD46E7133D4AE8A578D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028002Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:40.845{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923FDA7D25FA32447E3F17F35D80167C,SHA256=C9BF4FB6AE9D8F3E51B074A38AA47080B7E65014857AC67D31AE19CAD182305A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046853Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:38.631{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51838-false10.0.1.12-8000- 23542300x800000000000000046852Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:40.240{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90395AF5965E68AE0A2E69C2CE486C4A,SHA256=AC340D6EACF12F9B384A2FB43F1F00603AF9BD375DB2A2518FA9C008D8A422DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028003Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:41.923{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7237C1C18DAEF3DD5BA71362BF6B2CE,SHA256=96D7B978413ECEB2EE100493558D2A7D26F15B826BA85EA3E00988C1EECC2609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046854Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:41.255{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F26AFE55239E1D41689DE554918B0B0,SHA256=24DE214FD52C366C5FA1E8D32637D16D2F0F17E0DFAEF7ACF8184EBC67D236AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028005Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:42.939{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D183A0F535E7DE714DE28B48988E330D,SHA256=B6622FFEF8678FA542A5BA1859383A166E7AB855A489AC44D53FDCA94B09E03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046855Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:42.270{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB0F985F86C28188BDB421E42F8F4B5,SHA256=4B2AA0975CCF302BA07FDA61805CFED6DCC58CE0CD7088DD788BDFA6F6DCD9CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028004Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:40.024{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028006Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:43.939{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89CBDA1100F000A48B586C32A7079FF,SHA256=E3A6154AE4CB575A7E668BBB45ECC0966E2722C179F744AC1DD1E690FFA735ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046856Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:43.287{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEAEE3DAC415EB2ED0FDAAF08DD524A,SHA256=142891B3135F2BEFA73BF9835AF0FC7B7F9C3000082B52BDB07C04BA560A88BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028007Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:44.954{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC7B248B5A27A08789E9669A1BC2AB7,SHA256=90B32EF1693F1459FDE5E0F1BC816C8818DB6A4DDB202481EE138E46C17FB972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046857Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:44.306{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D779438185F0D83E527759A3A3E3F9D,SHA256=216F3E7EDEEB92EF652B2294C04D4AD9952BD5301D27C6C1757394FAEF93DA0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028008Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:45.985{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861AB2B86453C7E192595A0AE18810F1,SHA256=8BCB355856C82F50222FBF527862237BFBFD66F8DDF2A9D182367811A3A5B5F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046860Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:43.219{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-456.attackrange.local138netbios-dgm 354300x800000000000000046859Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:43.219{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-456.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000046858Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:45.321{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CE0360F980F17E5644BB5771531CCF,SHA256=6B93FB403EC290A3D23D2D7FB475C405FE0EE54791876D9D54E58257B1C06FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028009Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:46.985{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077E21305AAB6EFF4F14F631AF27C847,SHA256=2F08526142930B0CBD3B6AEE4B44600E366A0EC80549E4E616690B6B896725D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046862Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:44.659{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51839-false10.0.1.12-8000- 23542300x800000000000000046861Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:46.322{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9855AF4DE5493EB791257283CA0C0E,SHA256=DF5A1BE60D4AF71F49C0BCE6A8DA01598AD9DF3B378E9CF1F6B7DBE0A42C367B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046864Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:47.338{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15ED1D2D09291CB1569A7B288B4AE18,SHA256=C98CB4E04580B4252AA2C1EFC2B89DEB36181E323148370D710DD9F51EE79893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046863Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:47.155{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-113MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046866Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:48.353{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3518D71F3B04A5E4C2BAE10A8E06F30D,SHA256=DB142DD8BD55B6BAB2D23A458585FAF64E98BA2AFC4AC0850FE5CB38E0FE4C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028010Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:48.017{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0902DC9CBB6B6EA8688CEF897D3604CF,SHA256=DA77DA0E3872812E0043B87DD86F91AB6FA2FD6626A42F05EC0F4C929D4F2B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046865Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:48.169{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028012Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:46.008{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028011Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:49.095{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BD71DE40986628FF0E73506BE379D9,SHA256=030A2B6928CABD680C7B04DF33891D7E8906B53F8AEA3E8C5519E08B95CDDF87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046867Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:49.368{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752ECEDCFE0AE3920CE37D7E5E0C37AD,SHA256=532EF5D7F14A350E83ACDE52BD3F7F64188845487AA3E3C4AFE38316DB4DB377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046868Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:50.386{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B5E81A909490EFB73B437551316CE2,SHA256=4EE6C835C3AD5BDA6F3DF40CE824296C73FCC136D2A30C7E6EBCD977B5166B24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028013Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:50.110{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57CEA1DD09F0F63AE3AAB214075746B9,SHA256=CBBEB3668DE42717AF57159580C66B73599D7D73A1FCD202D4CB8A2B1007B50A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046869Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:51.405{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757A02D6E551EBECDE549778770F10B3,SHA256=E2732E4FFA0143E6578BD05D381AE6DA632FD54A6D7FE7E99A0450C04533607D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028015Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:51.689{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C7A306D510C4EFDE1806B2144C320FF1,SHA256=524685CB58B014917104203F6A4E9763E01E7F116F07877996C85261DB9FC05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028014Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:51.126{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AD12448C307BC24A3EE0087BBC37C6,SHA256=6648280B515E83C41616B516458DB62E6600B5181864585790E34AA0A59AA257,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028026Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:54:52.845{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000028025Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:54:52.845{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0063e405) 13241300x800000000000000028024Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:54:52.845{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31e-0x621f1c7e) 13241300x800000000000000028023Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:54:52.845{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a326-0xc3e3847e) 13241300x800000000000000028022Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:54:52.845{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32f-0x25a7ec7e) 13241300x800000000000000028021Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:54:52.845{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000028020Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:54:52.845{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0063e405) 13241300x800000000000000028019Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:54:52.845{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31e-0x621f1c7e) 13241300x800000000000000028018Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:54:52.845{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a326-0xc3e3847e) 13241300x800000000000000028017Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:54:52.845{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32f-0x25a7ec7e) 23542300x800000000000000028016Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:52.142{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C1E64E38C4D31732D785C6D9DA0D99,SHA256=C9372B3E5E6B0EFDCBEAC38665C8C61F823E54835B2A350CA8A7F9D13CD35111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046879Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:52.851{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=A9676169659D99E74E5563199922837A,SHA256=559B6DA91EC7B3D528559E66FFFC7192CC992962B0D867A43E17E94BC57474B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046878Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:52.851{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=33AC862AE8F36C289AC18F13866037A0,SHA256=232A247169B6AFC072E323297DD537031AE4743B2251DD4D00A0D98D499A2C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046877Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:52.851{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B3E1673AC602B47E1D5A8948F87E49D8,SHA256=BF85C46546EE6A23B84D93BD5358CD3DF0177B8D4499FBF29930A8DF088410D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046876Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:52.851{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=E47831599167F3E2A5B21D34A9BE5C7D,SHA256=468C772EF88B18321F2D9E00C2C68001616325C911A2C57D60370E97ED295968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046875Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:52.851{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=1EE69A77BE56B265124FCC9AE4FB3DB8,SHA256=38E4F9D12E79F9B5333464DE31B799BDD34D14F9A46EF91883A699888BC7FD5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046874Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:52.851{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=0C779B3C41455D4D6D238F7BE868C909,SHA256=D33179FF9561C09809DAD62D57A572AF786B718E5E10D8A4C531EDCA540D6C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046873Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:52.851{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=77870B8F7FCC2C8B8ED7A0683461624E,SHA256=8F77A77D87953B31B37F43D213EA04169F2E2C47C7D11FB04AD76161BB786012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046872Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:52.851{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=5616A4E691696B709E52921967C1AFE6,SHA256=597C1645AB18528C0ACC85DA883F6B7FA97B6D34F88ED63684D9FDBE11E98CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046871Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:52.851{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=A5A3FDA61B13DB82D6B8E0E1E5800903,SHA256=1F7E2BD96C3927B7C64F10967DE1D2483866D365A5DBE5B66F99F0AE3F87F17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046870Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:52.420{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F438B4CC427EE6B39789B7724C66CE,SHA256=20AD1B3A8208DCDB4DE17ED88F14657CB51A72375BD54B0C07BCF3F667212F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028027Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:53.173{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563F3CFB03ABF69DBE7F89E716595177,SHA256=917533E4BBB86ABD184723E566BC25343C96F7EE9E2722AD93855423EBE65CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046881Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:53.435{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C561F06D28E4DEB33F54F684DCBC4197,SHA256=5BFABF59AF4E0829D9E4EFE63ECA788B51E6AA85960742CEA61C450452F925CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046880Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:50.696{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51840-false10.0.1.12-8000- 23542300x800000000000000046882Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:54.465{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB71BD2A10E42FC4F1B9F1E5E5AC2DAA,SHA256=47B8EE510DD476A5C15DA5774D2007FFBFDA24B2B9A657ED77FFDAAF6B2E3B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028029Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:54.189{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FE74E2201E0D25045367023FC0AA2A,SHA256=293985939E1ECAFECE49F8FFEC4934F2A2DCDD5FB4E86AA050B1FAA7038F140E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028028Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:51.993{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046883Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:55.502{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0625DFBFECB1EB42DCF04F2F0A28CA4A,SHA256=C8CCCEA56BCE59F42E761799A03E06FCED36051A0B65BF35BC60B768B4420A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028030Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:55.189{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6844D5E4C2D2CB231CEE8199C43519FA,SHA256=2F23F16EA2813EC119E76169D0CF3B9439531F85AAF753C81978F111E7225193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046884Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:56.533{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672AA0F17F471847DD0AF4B48DA447F4,SHA256=937418AB29B3C74794B5BF340D0B42DCDF11C936D494E61EE5A10D9C13545789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028031Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:56.189{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BB139EEC1CB72DCE2E1B1FFA03C769,SHA256=BDA0ABBCD3528867396E1A4702A9F6B921456172010388A6A75394880296AC1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046894Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:57.864{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=C5C2EF9663FC8C3CF6032E6AFF6D7740,SHA256=54A47220164CC194821859F709CB2C78469E2290CF03B33921A14A6325F30FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046893Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:57.864{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=66C03EA90D197733A6BD63AAFD2996A5,SHA256=988CFBDBFC98532C34A6CE5652D0B272AB0AAE325B952CF7208382375608A4BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046892Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:57.864{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=9E810E5F8A0F914E8CDF8780D7465FAA,SHA256=B00ADD6F65EF484425D18EFE43043C1F4624359134BADDA749BF772DFB3E2FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046891Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:57.864{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=8B9A31A37DD3C315C3F53695E3B30596,SHA256=09FE0D48EEA38F9D2D8923BC75069B454FA340A16489B208602B7B43BAAAD67C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046890Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:57.864{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=F514BAC5F58DFFA440208784448C2471,SHA256=5E9323905AD2E8967A6D54049FD3A82CFF7C84BA1276CF0456190DD1F077DBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046889Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:57.864{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=FF84E28F44F14B0297CD17F7ED5EC82F,SHA256=7B3F100D70020F4AA2EC9C9BB1363080BA6355A607B3DD28AA4445E5A19D0446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046888Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:57.864{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=501F4D0B6386409762C8D1774C5E6AA2,SHA256=915A68D112D661809484B740E3C04ADE130A5D7E82ADDBBD57BE8A0A3F83E697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046887Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:57.864{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=BAB30E3E39441FCA9EBA420E636423AF,SHA256=54CD091B723F9AEA454406522E516279FCD58EC39AA40F55D1C72E7585FB9323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046886Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:57.864{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=83A15AFAD0C8BE0F672D94CB9941CE82,SHA256=16E31D6CF83A969B8D785945F0DBF5022B6452058F69508BFEBBAD0526876E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046885Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:57.564{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46FF80C3D1B27FA288E8D095D0B6148,SHA256=5A10342BD36AA1F043F0E3F4E47463252601A5A8ED9B0B576EDC9421003E8B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028032Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:57.204{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECCB30D8630DB69C83F6AD8FC86CCC8,SHA256=E52558C674618CD5A4C878B8E6EDE05A2817F6C4F0472B1704E7CCF6D7D15A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046895Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:58.583{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8218154C533D488F15D6262B37E793,SHA256=BA46AC2CA1D1E404FF9CAB6FD7C861AD5430138FD522C5988F679A280F4EC0B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028033Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:58.204{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8D088CE69B2765259A36079A53AB87,SHA256=0F03EDD47CA8333AA8FB2517DE4F2F693CC908407C2F633027402A6DB2F3B3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046897Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:59.600{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6376FB21A466C616552DB4864589DC92,SHA256=C915D6A499DA9579E1F607D9D0841AB73A5986DF1C3637375B017745A711AE53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028035Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:58.024{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028034Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:54:59.220{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48199A5DA286D8E015DF9F681FB10470,SHA256=F2DDA9137EFFC425DB8D7745989CF5751A541321A60225EAED61AB5DC12E1B6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046896Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:54:56.671{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51841-false10.0.1.12-8000- 23542300x800000000000000046898Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:00.631{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA76765BF5E380D3212E9BA1F81C371E,SHA256=80AF6C4944CFCD80CB93BEEBF85B4AECD4DB0C6866E314E7268DA8E043F2242F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028036Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:00.265{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B467F2E2A3B233BB49E5FE1E85DA7BA3,SHA256=03C028C085355F627194D69A9D20FE46CB01DE7E5071708DD9DC9EEDA899B81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046899Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:01.661{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E671A89221FE47E9199C0C2EA7BC0ED,SHA256=463B7BA30EBB74DC916772C4D93A38D882152C1256E40597F53B59A8DBA91C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028037Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:01.359{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FD8DC1E88F05992BD89B8999E685C2,SHA256=52D98F70E320B42FE8A1A10139A5D5D72DCFE40684FF02028E081D7131EC75E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046900Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:02.680{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD3736B1FC6DD25875514548798F58D,SHA256=787664F505DEB64CF50B7E35495573EDEE0218C3AFBA8BFA1EF88F3C982EBC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028038Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:02.405{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6055ED709F3B52C1DD7A66E8AB1FA9,SHA256=8ED50194887B33B7BD48CC2EC21C78AF2FEB02FE3F9F2C5E946BFF8D945660CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046901Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:03.697{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4605FDC249131DAA7BC0AC91AE1B5C66,SHA256=8185742FAE3380BF77AEB23D77030EC8F01C56A90788FC7D85422AF00DC09A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028039Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:03.421{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85A11FF213B750972C505D4C2CC8E45,SHA256=37695A1A8E9B0CA3B8B1337819F82C6C526B2C603961F3161DE874CF30A21BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046911Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:04.713{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E490F6F57F9A609FC88922F96228D147,SHA256=468D62A131D3B3231C0E67B133A0D4A64C1072235A70278904D76E4BAF191E3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028053Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DB8-6136-B306-00000000F101}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028052Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028051Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028050Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028049Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028048Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028047Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028046Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028045Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028044Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028043Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1DB8-6136-B306-00000000F101}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028042Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.874{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DB8-6136-B306-00000000F101}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028041Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.875{FFF7FB96-1DB8-6136-B306-00000000F101}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028040Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.437{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F30F4B57F25C260B5E704270544FA6,SHA256=D91EF8EBD912D584DE25AA6BB1CA6D54352FD24C76C4DB948D10DB72752DBD30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046910Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:04.660{323FE7D8-1DB8-6136-3A09-00000000F001}17365584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046909Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:04.481{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DB8-6136-3A09-00000000F001}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046908Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:04.479{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046907Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:04.478{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046906Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:04.478{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046905Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:04.478{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1DB8-6136-3A09-00000000F001}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046904Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:04.478{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046903Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:04.477{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DB8-6136-3A09-00000000F001}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046902Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:04.476{323FE7D8-1DB8-6136-3A09-00000000F001}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046931Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.828{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DB9-6136-3C09-00000000F001}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046930Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.828{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046929Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.828{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046928Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.828{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046927Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.828{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046926Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.828{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1DB9-6136-3C09-00000000F001}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046925Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.828{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DB9-6136-3C09-00000000F001}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046924Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.829{323FE7D8-1DB9-6136-3C09-00000000F001}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046923Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.728{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1793AA9ED958BD6F34D2E1BF9C09F5,SHA256=3E56EC9F8E80F18FED4F80CF38315EF75955208C53C069CEA5A6A194DC6BA1C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028068Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.671{FFF7FB96-1DB9-6136-B406-00000000F101}37803980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028067Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DB9-6136-B406-00000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028066Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028065Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028064Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028063Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028062Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028061Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028060Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028059Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028058Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028057Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1DB9-6136-B406-00000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028056Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.546{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DB9-6136-B406-00000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028055Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.547{FFF7FB96-1DB9-6136-B406-00000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028054Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.452{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF57403481BE8015223D5D0F9878C5E1,SHA256=3D5D73353595547D2AD8DC3A24C74358DC87FA3CF50194E120D3365C766FA82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046922Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.512{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8FF227DF5B5C719EDF179E0E327D1AE,SHA256=7FA0B13E61F3E9531387F7B91A650D247CFB7979C42DF6A892BF9C046E7C9991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046921Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.512{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8C45E57B31C6B42F487BE175C58005F,SHA256=66CDFB5540537B2E8D987055B94EF5B9CB76F6E3EBA2F655BE654FE55A6D2174,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046920Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:02.689{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51842-false10.0.1.12-8000- 10341000x800000000000000046919Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.159{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DB9-6136-3B09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046918Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.159{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046917Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.159{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046916Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.159{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046915Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.159{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046914Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.159{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1DB9-6136-3B09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046913Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.159{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DB9-6136-3B09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046912Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.160{323FE7D8-1DB9-6136-3B09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046933Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:06.778{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8FF227DF5B5C719EDF179E0E327D1AE,SHA256=7FA0B13E61F3E9531387F7B91A650D247CFB7979C42DF6A892BF9C046E7C9991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046932Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:06.743{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E4630EC4066FA88D8D494D1DEF5D95,SHA256=27A8AB4E8A7C80530B5529D0E30CA8C09227736C166006313013978A200A5D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028086Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.515{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70922642F1D7486BC8DCDC170E45B0E8,SHA256=B0205EAB49EB060D01299B1CE32A268EB470DB806DA884FC3D63CABF1ED76C02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028085Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:04.022{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028084Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DBA-6136-B506-00000000F101}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028083Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028082Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028081Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028080Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028079Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028078Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028077Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028076Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028075Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028074Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1DBA-6136-B506-00000000F101}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028073Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.218{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DBA-6136-B506-00000000F101}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028072Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.219{FFF7FB96-1DBA-6136-B506-00000000F101}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028071Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.109{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98FC0D64A581832F36AA96E8F5F15CDE,SHA256=736658E389DBEAD831B24418703995DC46AEA75DA5B158B3987F03FC7366116F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028070Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.109{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A1D0ABE8F5D0A1581BF91AAE9C2C0FB,SHA256=D5F622B12415A1F83811F3A22137FA6A9ADD62C586770A1FCCA12A02942A2354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028069Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:06.015{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046944Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:07.895{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DBB-6136-3D09-00000000F001}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046943Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:07.895{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046942Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:07.895{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046941Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:07.895{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046940Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:07.895{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046939Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:07.895{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1DBB-6136-3D09-00000000F001}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046938Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:07.895{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DBB-6136-3D09-00000000F001}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046937Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:07.896{323FE7D8-1DBB-6136-3D09-00000000F001}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046936Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:07.811{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D51085FCA4C0DD24C2149D593A071BA,SHA256=469608F682289FF02210B5619C64552CE299CC12001F15B85B93B49DF4CBA82C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028116Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DBB-6136-B706-00000000F101}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028115Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028114Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028113Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028112Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028111Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028110Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028109Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028108Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1DBB-6136-B706-00000000F101}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028107Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028106Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028105Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.968{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DBB-6136-B706-00000000F101}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028104Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.969{FFF7FB96-1DBB-6136-B706-00000000F101}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028103Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:05.850{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000028102Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.530{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CAA37023180774815BCA56DD0AF7ED,SHA256=3F7533FDF71A51C52683A70C85BBF91C472E3814555B29A97FE871680A32E4AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046935Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.335{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51843-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000046934Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:05.335{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51843-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000028101Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.452{FFF7FB96-1DBB-6136-B606-00000000F101}34123740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028100Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DBB-6136-B606-00000000F101}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028099Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028098Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028097Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028096Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028095Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028094Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028093Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028092Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028091Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028090Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1DBB-6136-B606-00000000F101}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028089Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.296{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DBB-6136-B606-00000000F101}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028088Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.297{FFF7FB96-1DBB-6136-B606-00000000F101}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028087Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:07.265{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98FC0D64A581832F36AA96E8F5F15CDE,SHA256=736658E389DBEAD831B24418703995DC46AEA75DA5B158B3987F03FC7366116F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028133Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.796{FFF7FB96-1DBC-6136-B806-00000000F101}40081128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028132Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DBC-6136-B806-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028131Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028130Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028129Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028128Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028127Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028126Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028125Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028124Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028123Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028122Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1DBC-6136-B806-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028121Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DBC-6136-B806-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028120Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.640{FFF7FB96-1DBC-6136-B806-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028119Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.546{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947A49B8F314FBD351FCBA8D7AAAD265,SHA256=39B5B2C83B51906897E130D16834A311451740AA7DF626118300027586D94431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046956Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.896{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEB3A8B165ECA5D34150AB1451E1D717,SHA256=E9A53307C883947F2D5ABCA4145BD98CCC56168D8B142674365095B958D92971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046955Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.812{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB60A9CEB1D70BDA8B2D193790A33654,SHA256=DDA2F15D819FDFF2F17D850A00A61EA2783AAD7A12E5F25FFF4C3BC5F0E80A81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046954Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.712{323FE7D8-1DBC-6136-3E09-00000000F001}3288104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046953Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.559{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DBC-6136-3E09-00000000F001}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046952Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.559{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046951Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.559{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046950Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.559{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046949Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.559{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046948Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.559{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1DBC-6136-3E09-00000000F001}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046947Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.559{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DBC-6136-3E09-00000000F001}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046946Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.559{323FE7D8-1DBC-6136-3E09-00000000F001}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046945Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:08.096{323FE7D8-1DBB-6136-3D09-00000000F001}49765528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028118Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.312{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF89FB966C33F4DB19C2AFB3E2288F96,SHA256=110D9F1FF463F3F9A53649908363E30E943AD313A5AE7A4B4FD050676586CE98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028117Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:08.124{FFF7FB96-1DBB-6136-B706-00000000F101}26803752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028148Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.937{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF642D8AB651EBA2581D642CAEF209AB,SHA256=9F17961A528372317EF9AE04B556E9907EC46AFE38E035A42DE5AAE33B6816FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028147Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.937{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FD8DBAC6BE5FB82C76F1E085BF4DA33,SHA256=F2A1A4BC2B7ABE30855C1A431FCAD433F1A64D8B69A80EF48B838292BB42D83D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046974Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.912{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DBD-6136-4009-00000000F001}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046973Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.912{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046972Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.912{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046971Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.912{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046970Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.912{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046969Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.912{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1DBD-6136-4009-00000000F001}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046968Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.912{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DBD-6136-4009-00000000F001}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046967Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.912{323FE7D8-1DBD-6136-4009-00000000F001}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046966Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.812{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA51AE2DB3E46D98A2CDC883E8D57F9E,SHA256=CD1F2F75CE92277FECC163061D496CA85BE18120656265DA7D8C002CD8C22C40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028146Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DBD-6136-B906-00000000F101}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028145Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028144Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028143Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028142Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028141Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028140Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028139Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028138Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028137Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028136Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1DBD-6136-B906-00000000F101}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028135Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DBD-6136-B906-00000000F101}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028134Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:09.312{FFF7FB96-1DBD-6136-B906-00000000F101}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046965Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.411{323FE7D8-1DBD-6136-3F09-00000000F001}44046380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046964Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.243{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DBD-6136-3F09-00000000F001}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046963Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.243{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046962Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.243{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046961Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.243{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046960Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.243{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046959Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.243{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1DBD-6136-3F09-00000000F001}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046958Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.243{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DBD-6136-3F09-00000000F001}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046957Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:09.243{323FE7D8-1DBD-6136-3F09-00000000F001}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028149Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:10.937{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508E08B3A1BEB1616E9CBF0C77B84654,SHA256=46A5DAD429D745E5EF6B45B289276DC157FEFCF436B5543FAEDD5215F9F966A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046977Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:10.827{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5B0B4535E4D4CB4B73578FC97CB485,SHA256=7C98CECA8FEF7105B5200C4F42B73027BB1DBB30C063F5ED9A9E40659EE886BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046976Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:07.834{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51844-false10.0.1.12-8000- 23542300x800000000000000046975Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:10.296{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46020083B607B34203A455BD73D457E,SHA256=7C97EFBE475B19E19185D0B7E82B014F5667A0AFC3C72FF6B489F9819AA59B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028151Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:11.952{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEAC5F749468F35A85E1D5877054C4A,SHA256=0BB071AA405E5C13025EAA734F8F486F29E0E2FA7A4D5627BA25218EAB90B5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046978Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:11.842{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A843C864DF79CBC5BB8393E32D1A05A3,SHA256=73A065D10D49D8F283663D3B6E7866B6544832F52525E6E92F4BF5B0082A822A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028150Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:10.038{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028152Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:12.984{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFB16A71898FF2763ACED03A53950F6,SHA256=11C79B6850D93C60068F50D84DC75CF6DC6C0131B718743B4AEE8D4FD1B390FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046979Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:12.857{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD00FEF0C70E205F099FBAF270E5263,SHA256=685622FACE468A499A7A77299165DD8AFEE6B8F482798E6F70FAC18E54D7F686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046980Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:13.875{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F44DBEE10C689E1BAB51E299F7301E,SHA256=DB8F00B615960A2EC4871D7C9988931194F858167E40C54DE71161EF6A283F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046981Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:14.894{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245E180D68C6322CA5CF6259A127B4B3,SHA256=759272E36F1C9A8AE5D54F345D55FEE1BB3EE7268A1E03A4CC297E952483737D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028153Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:14.015{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0F25A743BB40B610E675B9FCCD32FB,SHA256=516AAB03CF154A1A05471F5787767A4073BF60916BFB68094C74FB6DB65D2219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046983Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:15.925{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AE9EDB596E512E485DBF071A2E236E,SHA256=860EBBDCB6F261E05B4DC2CD559AD68550C0277AD4D7AC3FB606E2D2B28CE487,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046982Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:13.685{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51845-false10.0.1.12-8000- 23542300x800000000000000028154Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:15.046{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE498BC1C15F66A314F061CF2151A16,SHA256=1C856B380BBEF273009465CBE999984CE069FAD248F16E10927A35BF5631C0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046984Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:16.955{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3CD55D213C6A10925497B18B7E4B7D,SHA256=138663FDE2CB816154E39F46D68D125CBF73DDBC4FEC05D99A23411AEF4FFF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028155Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:16.077{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8990F663328B67A71CE2A9567C528AA0,SHA256=F333F6F7AF35DDEA4F13BC63F327B3F523B8350388C7A04CF08E961AD8D431F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046985Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:17.992{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835E322E11E9DB917BAED693E5E4E45A,SHA256=B654C9084CAC59EB1B4EEBBCCFCD2C43E04FC5F016EB415140214171939CB176,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028157Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:15.944{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028156Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:17.109{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD49754218C1486F3B6A0E31F233E328,SHA256=B906C730CCD6EE30C9807C417D86FC23634ED1ACA97FA7040AE389296E037ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028158Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:18.124{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901020D6671F529B105EC67050C67F84,SHA256=CDB0447614FEB9FA66C7A1FDDB9160FC3C2D606C7B7D5B19DF38CF60D3651269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046986Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:19.022{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB69C788FAFC4FE6345F6EF01DCD006,SHA256=002517BAE87731EEF6C57107177E70DF5811235DEC63D1D0962142DE4934FCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028159Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:19.140{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48B6DD4DCBBA96EEAF8A86A902A07E5,SHA256=D4B3B32485B35416B709077F651741038C0E04ED7201D18C4FF992F184BAB365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046987Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:20.053{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A716ECB4B79559BCE352F3028BE8FDD8,SHA256=C06954E9B24E3CA9101855DDD03180154BB2CBEECE32E43368A92C57FB7E578A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028160Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:20.170{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A98AC5C3FD9E5A272973DFC53AE15B,SHA256=679028FF317B31C1633BF0FEC803DF1BE5C9D091DC5A0300390E75B88C97EBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028161Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:21.201{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A3073C30E37493DB637EE40F1F303A,SHA256=F1D6B27C10D49A4BB8D295887D51ED7D7446BB8D88FF47373C1F369C426FBFFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046989Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:19.698{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51846-false10.0.1.12-8000- 23542300x800000000000000046988Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:21.071{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54921DB62D53BD12136400D342CE275,SHA256=CE17097E00DE44EE0359C5BE8AABC06AAAC361A1A13648B1C77303D5159AC3E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028163Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:20.958{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028162Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:22.216{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AECD0F489DD9179C4B91DDDFAA141F,SHA256=8B2D7F843E6A83E7FD54771EC07DCF563206E14A30C87FFC431E8F8C9955A19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046990Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:22.090{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DE2F7E2A78C9297F393BEA1962F078,SHA256=4D17803C8BB5FC5E842491692546C9227D12E3FAD2E368D2F2E9F8EB7E5B1B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028164Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:23.248{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988FE20885E357330CDC3409B911B913,SHA256=2618E2A4348F009F2AE4CAB0A65A1F9AE307F27C6258D93A7E1CAD575ECD3C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046991Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:23.123{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9A1403B270820910A03A43FC5B8DAC,SHA256=97A2EEEA6968111F33778C3382F8DFB97C2533B8B52BF8E9E03E08937791F31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028165Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:24.279{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E645D3BA9CAC1B4BA0856BA31D62402,SHA256=077D647600A2A53F27DDAC7FBDBBBA91DA33674CB67EF911EEE64E352BA6F07F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046992Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:24.156{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CBFE8301DA7B6E555BAA7B54FC744C,SHA256=C436B0E9B61B8461685350CF87F0005010ECA83AA599040C77F9399BCDA0B5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028166Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:25.279{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A380F849E737C4F78F23E1AE60B71E84,SHA256=E7CF0EB629115CE1A3EE161E4F5D2DDD0073D27511824210FC1FAB92CAEAD8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046993Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:25.174{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4728FE4D9FE13F1494FBB786AD5E7DE9,SHA256=4BF48541E7B699795E9A3B45EE24C6943EFBDEEC25E2FED5A535B306EF0EBFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028167Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:26.295{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57CBE8F626D47C9359CE251FC0740B1F,SHA256=D82EC1098E001959599B9B0232B78A80B98025D16D48652FC6F62B52882F9188,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046995Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:24.815{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51847-false10.0.1.12-8000- 23542300x800000000000000046994Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:26.192{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE52E639EB1A9BD2E59A5886FF570CA,SHA256=202F615404A69D0F42116D60EA0909AA4FF283BE4F91709583AC75CA34E3F80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028168Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:27.310{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD296039F0DE370518F51024B5242F77,SHA256=7D4114EE1BF6C961900EDE78CBD37EFBEBAC253CA110884F53E6B0EC141C0C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046996Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:27.223{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1633957A35B30483E1D73F295FD4DFA5,SHA256=E6DC4D46C21A4D2E6ADDD839E5511612CAFEBFE9CBBAD7C612F847529F313844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028170Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:28.326{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30852F5C4AB98114EDB7A4380DE197D,SHA256=11D5F3CED07AE386C3385C9A1DF8DC772F00E23403C4AB0B6A24D216FE0BA884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046997Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:28.253{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA359C4438784B9C4B7B6222B709066,SHA256=18BC3011DC227056FA64495100469F8025DF6B7F5B3A457378546047B0DB1E1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028169Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:26.052{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028171Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:29.341{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F6A196E694725F745A3D3E8FBA9052,SHA256=0070B6EDBA245122FB3B58880D5D3A22E8BF5E8ED8BE6FF2CA5ECC598565CA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046998Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:29.290{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39385A1BBFD701B7D52BEDCC2F2D58DF,SHA256=0086BABEFCF74744CA342C0C61170479EA23DB80ACA75F3AFBB14BEAF1038288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028172Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:30.373{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43513C5F83663C822B74C5D97B03415A,SHA256=D305F61D4AD235342826A53F28E218AA2B7C0504DD037806AB471D28133A2B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047000Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:30.552{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046999Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:30.321{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B16DA19DB2491A304431CDF5E8668C,SHA256=B7A2191DF508E536FFE265FDB432B6EC3AAA4C70DD81FFF9C09BAD703A4E01EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047002Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:30.143{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51848-false10.0.1.12-8089- 23542300x800000000000000047001Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:31.351{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049B196ABB3210F0A3AC12515EEE3E0D,SHA256=3FE1C51A32950260177EFA8EE2367756748BA8AC95F826FF3C266B9CE3E1BA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028173Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:31.373{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96695C022F8BE90906AD90291BA74A12,SHA256=F6FA138D6C2C2E05248817D1C3B91A4490BF9D8040BE86CD0D601AEC593F580F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028174Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:32.388{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661B1E5C1E367334EDC612283A2863A2,SHA256=912F6017B1873D37C7C58C245508545E904AECA1491171AC6670D45B31E469C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047004Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:30.762{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51849-false10.0.1.12-8000- 23542300x800000000000000047003Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:32.369{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA97456E24F6CADB99C4921C0C141ED4,SHA256=040088D6A8BB0BE9D6CA39557E353F36C1702A545B8C15161754140EAC406DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028176Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:32.036{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028175Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:33.435{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D075D2270D9A6C3926B5B147510A04CD,SHA256=C1ECB20D79250A1C1DA39D663086D9568D182A354AF9200D2351754BA8045419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047005Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:33.380{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF9947D794F7B7F4C30BB1B0FEBB80A,SHA256=FD852E9751157C8B95A0176A07A8569D70CC57776BB36981928C9C89ACD990F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028177Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:34.451{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2AC67CA5C0BBE32160B9A16DA460E4,SHA256=78A4ECCB2EB158C4E4831B9677F8D75149A22786713E856EF6B0F1D226E2DF6F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047016Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:55:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047015Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:55:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006c1b2b) 13241300x800000000000000047014Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:55:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31e-0x7ac9a786) 13241300x800000000000000047013Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:55:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a326-0xdc8e0f86) 13241300x800000000000000047012Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:55:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32f-0x3e527786) 13241300x800000000000000047011Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:55:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047010Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:55:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006c1b2b) 13241300x800000000000000047009Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:55:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31e-0x7ac9a786) 13241300x800000000000000047008Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:55:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a326-0xdc8e0f86) 13241300x800000000000000047007Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:55:34.529{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32f-0x3e527786) 23542300x800000000000000047006Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:34.398{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3999AC923292678D9D8AAD8FF37531,SHA256=6BB6768F7101AEED0FFDF476E3C646E1254F824860A93EB7570A835C80F5E207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047017Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:35.413{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56C27BD01753BD4459E588571A49B01,SHA256=E3BCDBD81B196C0CF6AC0FDF554B439A543B65E1461F25A1D7C6947ADB5D783A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028178Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:35.466{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C017D6AE2D5E84B443D7CDEDF2C4666E,SHA256=5F5A68EEB17B72E3150FF0C1D016C23B09EAE33633D395BBFFF4721A562ACDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028180Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:36.955{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-106MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028179Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:36.468{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0637008F220D85F07AB1FD217392FB71,SHA256=D08FF8505399B289237798E8FFFBE8AABD206053C125ED6C97B104EC4B9024CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047019Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:36.428{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A27B48EDA3741DECFB724D1A81B1CF,SHA256=5F6AAA8A64CDDE5ABC8ECF7388F66BC51DDCEDA8512E51B89FFA280C17372B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047018Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:36.344{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C91B0338A98BD7804022931C54A63393,SHA256=117A4C59A375085E405F0C80E0738F152941DD7B562546FD89626DB05D9AACB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028182Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:37.953{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028181Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:37.468{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CB56C78E36284685613950243AE051,SHA256=DFAF94681B0192CDC463AC3EAEE025FF81429423DDCF1B3BF2F55B71C9DC82BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047021Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:35.851{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51850-false10.0.1.12-8000- 23542300x800000000000000047020Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:37.443{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB19E9929AAEE34D9A186768F224045,SHA256=6635CDC27D6A52BC93A389D2B2D1DB4259D4BF6D101EE53B6EA068FB6F399353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028183Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:38.484{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCD7B681D990879AF722C689D441CBF,SHA256=2170233F02D9DB4C1297CE348C152D0A640EB69559357BB068A483893D23BF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047022Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:38.476{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1891C29EEC854704D317BF69AE6FC2,SHA256=FC315A1E892F11AE0775B50E0FB9EF65FEA57FE6B52ED403724C954D431742A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028184Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:39.486{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0ADC7D01AD52D0483E37B1FB6684E3,SHA256=1EE0FBE1B1BEC577749C5392ADCCD61EAFE40BEF9BF462C57B3C03F238B49114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047024Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:39.488{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94CAF76E12778F3E4C96DFD4820D34E,SHA256=11D23B455A7A5B7B7A8ECC197CA586D4B3A5348773A8C327377F5C58D42BA13D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047023Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:39.226{323FE7D8-022C-6136-0B00-00000000F001}6245660C:\Windows\system32\lsass.exe{323FE7D8-022A-6136-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000028186Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:40.501{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5498AB669B22B5DD53C743C169559123,SHA256=BD27B6C6DA6E47C32C660E193E5B0C12EC1C47ACC12773CBCD9C18FE2E0C35F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047033Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:38.818{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51853-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000047032Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:38.818{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51853-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000047031Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:38.715{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-456.attackrange.local51852-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000047030Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:38.715{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51852-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000047029Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:38.706{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51851-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000047028Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:38.706{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51851-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 23542300x800000000000000047027Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:40.495{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE8AA30CA233901F12E75504DDF9E5D,SHA256=2C9FBC01660DD94420137CC958225A2BB9EECE8DADD9D0BFF9A3D1C8464FA787,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028185Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:38.020{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047026Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:40.126{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A2434E3833C48AD612ED45EAE63C3F2,SHA256=52CEACD98DCFCD96DC5658AC9EC9951F81BFA198D0E9D434F46845CDD30A63A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047025Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:40.126{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9DC0662435D17056D064A0B8D8353AE,SHA256=D278681788285EA530012FC09E42DFAB2924775574DEF872980231ED75A6E957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028187Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:41.501{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B307E091FB9A44854535D52D343F959B,SHA256=C9C3BB2D80CE234E8FE0308F84B7492F3C92A93A375C0152D636B31387A42A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047034Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:41.526{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1579C3D63DD652303744FBB664A4BE,SHA256=A2ADAA0C441924C91715B0B370C47384A3C1581892238036791E974729B9FEDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028188Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:42.501{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9027B9FA02103C895F215DA71D251890,SHA256=94F5D8745DE773FCA556B9274CED8742876B114FCECB2E30E90BA77C1DDB0EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047072Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.795{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233C2A9E88D85CEB0B2295CB95ACBBF0,SHA256=D73275A2B01ED2E65BB6E40A1DD5DAC7D98075E83E57BDA42CDC82D9B6422A57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047071Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047070Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047069Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047068Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047067Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047066Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047065Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047064Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047063Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047062Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047061Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047060Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047059Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047058Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047057Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047056Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047055Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047054Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047053Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047052Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047051Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047050Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047049Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047048Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047047Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047046Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047045Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047044Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047043Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047042Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047041Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047040Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047039Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047038Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047037Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047036Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047035Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:42.026{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047073Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:43.825{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A55DCAAACCEB15F1600B382A697F60,SHA256=8903207F912FE6729F1659A91747E49B6E497E5EE5572555C0B0BC3D5D740D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028189Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:43.517{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4227EFAB176024BC97AD7D940975DA2C,SHA256=CBF744168BAFC3BFBC5AF7EEDBFA48EFFA5F95DB84E322A32D245E4EE6B1DB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047075Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:44.840{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB14886CBDE507B1BF4344674F8CFA95,SHA256=BD0B42422EC5464BD4015371AF688E901E1168A698862600E17A165CC9F99647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028190Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:44.517{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70308B0AF4EAA5081E41448F60ECC191,SHA256=C7034184A14183BC86DFEFD1E62245D314E5708FA1C66DD6B8D79575FF8C370F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047074Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:41.633{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51854-false10.0.1.12-8000- 23542300x800000000000000047076Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:45.855{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D411682BDE1EB3F4B7776EE822DA0780,SHA256=8EF7DC4965CE81E27E57F4B7EA73236DAA7E56F5599312987F01CD3FD68DEFDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028192Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:43.024{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028191Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:45.532{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D67181299FA7D37C8DFF8CD35400070,SHA256=701AFA75370458038FF1C7FE2D12E10000F5398D7379B2566810D33D6CFA2767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047077Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:46.872{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81698AA5BFEDB50B70DA3145D1DCDF29,SHA256=2CBA40325E3A7DFC454008EC53DA850A88182523AA8AE110389BFA27331D6792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028193Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:46.548{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63851777D31926710031B288614DAD07,SHA256=20681E2E7F3F1E9543A2114E1A605F4D093F81C380F401EE1D2609A16D000725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047078Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:47.892{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB244C5235156365E6ADC0BD53B7EFA,SHA256=D69F15C13EA96591709620E59738E271D96D6370FEFCE64562F7EC2935088497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028194Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:47.548{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DEF05656DB6B558A364AEC0E2E75F1,SHA256=F08CAF6600EFDC2562395D2B235BBC85D57285B19EB5FFCE321D22398DCC0319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047080Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:48.907{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2683136D7372C374D5485BB58B67F03,SHA256=06B7D5627681C3341881F2B7EB59F5D8A08DBE0A099E7CF6153BDDD465D8FE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028195Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:48.564{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF338C7A6083F7E90758B5FBA84F0B8,SHA256=8E822D7825305ECC8786EF4BFC6A134D59DB008FC8127012B26046BADB70B751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047079Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:48.695{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-114MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047083Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:49.938{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DF89BFC8001595B6BBEF2E35A7D7AD,SHA256=BF193DC3F3B76F5ABEB63BE82CE493EA56E583133569152FF77B9618A4FF4089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028196Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:49.579{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C855C0DEA0DB6E96857C6B1955C9011,SHA256=8FB5BE9F7C0AFE640F5A56DE42E5C9E71A3918A3A552D84FD61B48925E7A02EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047082Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:49.708{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047081Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:46.814{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51855-false10.0.1.12-8000- 23542300x800000000000000047084Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:50.953{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0264FC7BF5BE175A45852279BE4AB508,SHA256=941C1A0E6F33FB405FF11EAA58C69ECA7C0A21E8A6E5D9795B78474F137D34B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028197Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:50.579{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8289C5A5FE25CA4BE41050169D64D0B5,SHA256=655BE1B304176F218D588F075FA87E2656B3F43268A254084ADDFDEF050F69AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047087Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:51.971{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BF2DA5F8C4411EDE3794433DC30178,SHA256=FDAB746B0383C46F122F687A58660A0DF5F534A1A7F72BFE133092ACB5B88542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028200Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:51.689{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3106339F0E76B97E9A038556238656B0,SHA256=C4B13D59AD4304B17CA763C29001F210FC7188ECF4F7249B2DAFFB37CBC50BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028199Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:51.595{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01964CEFDC3AF99EF10AB8DACB53C7C,SHA256=EF22BFA1FAAF9EAE5452520ACC2355D1B3352D71C862B18DF8106DE2C851F963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047086Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:51.022{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB6AE57DAF5148CCF9442487B14E6C30,SHA256=1E0BB1FF29E5C903A12E38F1A101D99FC5100B11850A7183063FD606ACE20BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047085Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:51.022{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A2434E3833C48AD612ED45EAE63C3F2,SHA256=52CEACD98DCFCD96DC5658AC9EC9951F81BFA198D0E9D434F46845CDD30A63A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028198Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:48.024{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028201Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:52.595{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03BC5ECFE089A8D31FFC0519AD473BAB,SHA256=32F72177769DFA70B6B6501BB5BFCC8B0506E1A35E6475817CE20CDF6D9AC3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028202Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:53.611{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3C3F602BCE12A26268DD043F3B588F,SHA256=AEC8600954B2F8D6326E505EB8212B7F869BEDFFB35D08DCC1F50C7034B6F01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047088Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:53.006{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84378D1B8CD4A451FC7FCAC91D6B2480,SHA256=1CC0F820294C038885DCF247841FAADFF2623D37C5B288A7B64022173019606F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028203Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:54.611{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313214733C0F311717377C64BCC03DD2,SHA256=C08D504E943813E6DDFF53DE9C5A4E8BF2A73FA8832B245ECF856FA8EDDC32D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047089Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:54.036{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4580F16EBE70D74746D9F32D7BFE54,SHA256=C140A7064C7DC7605E00B2EC377FCD3779557B89D2F9DE7BBB29E9860E8CA9A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028205Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:54.040{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028204Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:55.612{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168B6AC749E6CB1514B5EBC6B65573D6,SHA256=04875C2B4B678468A347469EFE06A850E6F6F7D940722017E1AB8CD0DD92D315,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047091Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:52.844{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51856-false10.0.1.12-8000- 23542300x800000000000000047090Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:55.069{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2119ABB33D5F68DDBE9F1B17E24E3AB2,SHA256=84934A07FEE5607CDEE397C6E0E928FB231DCFA315FD202EBE963B81F279A269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028206Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:56.612{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0906FCA274EDDB222C9F8289661A9824,SHA256=43134C594BC5188E9FCE192C3BDF5DFDF4C321564A8F2ABB26B02A7C33E1CDB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047092Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:56.104{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10E8380CECA03711B8652F90E89CE59,SHA256=69614EDFE22432450788B75C70E5331F2061D6E0D0DB43D2EEE5958288E22577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028207Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:57.628{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBFA1F0984B58428E5AE9ADDEB425B1,SHA256=316A8F6E66655B13A3B972C6A3BC252038C4BFFA8EBBA87C0B69CF4112F8398B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047093Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:57.135{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3206B1D84187AED9FD90302BFA314E6B,SHA256=FD5AC303E684B5E7629C153BD921AFE38F786002192D2D2DBC400502A3D8A664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028208Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:58.628{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921D65228E2B1616A8BCE114ED57627B,SHA256=23617F153B72FC9D385A68D4D9F35A4EF9BDB0B72BCDC24391B19E46933B1509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047094Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:58.135{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B732C49CD8E1CF430B74254AB9EE04,SHA256=F109DD88A8F822E8A70A58B55FD5E1144C1F6A1B001DC694F9FDC751AD45A7AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028209Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:55:59.643{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE27D6E85B33C4529FE2A010FE26E90,SHA256=2F02B07DAC33A743AEAD0DE8F9905BEDA5B2A90418897809A8A7261E68948084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047095Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:59.168{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F7A090B8213582BF942FB9F4A51362,SHA256=17825D904F56BC64294F52D683A9A020B197A3A58C1CEEE2D723E9107DC2D68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028210Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:00.659{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB708C9AB1C3AB6C299FF699ECF0382,SHA256=C17C61850E826932F4E85B4FFBB32674C81707F20CD101DF53C66BDBA491DC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047096Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:00.187{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E40157D3D8FA568420A1C610011D499,SHA256=87001ACB5224199A850576C654F52016D287178DF3EAC432FCEFABDE0BAEFC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028211Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:01.674{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E72EB1D8C5FEF7A084D31D346F044E,SHA256=244C194A961C0123154ECDC70FBA48F020A0AF8811C5F5138B9E048966CC0FAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047098Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:55:58.810{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51857-false10.0.1.12-8000- 23542300x800000000000000047097Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:01.202{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DE0C23C76CF410342C5890884A8C75,SHA256=3DD9399E471413279A6DF168CF2A9F2E4599963E8ACB18150BB441101F356367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028213Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:02.690{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC842E7C089F81B29759421E7530F0B,SHA256=24431FBBFFF065DFD04B24899388DFA550ED80C0C8343EAAF494E4645610299B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047106Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:02.386{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047105Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:02.386{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047104Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:02.386{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047103Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:02.386{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047102Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:02.386{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047101Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:02.386{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047100Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:02.386{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047099Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:02.202{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACEF695C153F4E1E3A325CA2449174B,SHA256=218AB91EC66BC3A0F8C0887C21D392E880CC2CD2CAF0BE87FDCFAF1751C988F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028212Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:00.041{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51076-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028214Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:03.706{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A460B853CB0D68CB061C726923A83C6,SHA256=6D4E68CCC490CD2675283013CAFD6CEE1880FC130BD4CE384E2324C21B525759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047107Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:03.232{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FEBE9D5ABA56514DF44B025F5D21F7,SHA256=D6CC6519C0DD42FCAA1EFAB2B2118B35F31CB98EB28CD33877BE4EAB37EDE32A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028228Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DF4-6136-BA06-00000000F101}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028227Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028226Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028225Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028224Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028223Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028222Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028221Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028220Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028219Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028218Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1DF4-6136-BA06-00000000F101}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028217Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.799{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DF4-6136-BA06-00000000F101}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028216Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.801{FFF7FB96-1DF4-6136-BA06-00000000F101}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028215Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:04.706{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B1D59DB4F2E90287703A60AD4D43EA,SHA256=6CB29FDF529A022BECFEE86C7A0C058BB9CFDD0240A61ABE7963E613CD6D12F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047116Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:04.486{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DF4-6136-4109-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047115Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:04.486{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047114Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:04.486{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047113Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:04.486{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047112Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:04.486{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047111Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:04.486{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1DF4-6136-4109-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047110Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:04.486{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DF4-6136-4109-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047109Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:04.486{323FE7D8-1DF4-6136-4109-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047108Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:04.233{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927B291B30EA5A2E612B908F48CB9CDC,SHA256=4FA281FF0788834674DCDDD8AEF037005705912759E05D7E7A0DBD187F044BEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DF5-6136-BC06-00000000F101}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028257Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1DF5-6136-BC06-00000000F101}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028256Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028255Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028254Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028253Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028252Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028251Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028250Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DF5-6136-BC06-00000000F101}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028249Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028248Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028247Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028246Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.943{FFF7FB96-1DF5-6136-BC06-00000000F101}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028245Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=408C711B7F0A3BA107C9CFDFA6015AA4,SHA256=F3DD1301F2B4C85AAB5C626684FEFDA7C503BD5B6C5CBC93C888E52FBD79EF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028244Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DECB0124C824833BB6ADCB78379B2C1,SHA256=12D49FD92B681274AA7550CFCF0A1C2AF2FC6DD19A612F0935C6B8D9E6547F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028243Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.940{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C11CB508810E8B0BCB65C0F62427774,SHA256=9D2D9BF1D5DA7324BEBF2BAB9DD78DDCB9AB2E2C7A7FFBFC30C302A7A5E39158,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047135Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.820{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DF5-6136-4309-00000000F001}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047134Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.820{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047133Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.820{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047132Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.820{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047131Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.820{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047130Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.820{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1DF5-6136-4309-00000000F001}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047129Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.820{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DF5-6136-4309-00000000F001}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047128Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.821{323FE7D8-1DF5-6136-4309-00000000F001}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047127Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.505{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=078349B52DC27394D5417C8E13432CF8,SHA256=52AE30976299B556B306511BD4E302436000E39739D4820E824BF824166882B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047126Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.505{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB6AE57DAF5148CCF9442487B14E6C30,SHA256=1E0BB1FF29E5C903A12E38F1A101D99FC5100B11850A7183063FD606ACE20BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047125Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.236{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADB3BB1DD6707D9DA2ABA7E3671EC71,SHA256=929031C4981A62E5BEF7B61C618C8373728A06F86DED2A650A66868EFF625623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028242Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DF5-6136-BB06-00000000F101}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028241Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028240Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028239Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028238Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028237Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028236Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028235Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028234Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028233Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028232Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1DF5-6136-BB06-00000000F101}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028231Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.299{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DF5-6136-BB06-00000000F101}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028230Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.300{FFF7FB96-1DF5-6136-BB06-00000000F101}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028229Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.018{FFF7FB96-1DF4-6136-BA06-00000000F101}24523220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047124Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.151{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DF5-6136-4209-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047123Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.151{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047122Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.151{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047121Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.151{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047120Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.151{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047119Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.151{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1DF5-6136-4209-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047118Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.151{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DF5-6136-4209-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047117Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.152{323FE7D8-1DF5-6136-4209-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:06.940{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557C9EA0179154DB2CD69CA6BD874397,SHA256=AD1EAD135D9EFC3A0656AAB312053C566B35FFF42963F9B2EF18D60F5476A8F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047139Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:06.753{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=078349B52DC27394D5417C8E13432CF8,SHA256=52AE30976299B556B306511BD4E302436000E39739D4820E824BF824166882B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047138Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:04.780{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51858-false10.0.1.12-8000- 23542300x800000000000000047137Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:06.254{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30619B1D4A86923D98EF12B64262498,SHA256=A564585DEA63B2F8C460DA314BB8B6E571EEDD0DF7FC86816395DC0C45476E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:06.034{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047136Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:06.020{323FE7D8-1DF5-6136-4309-00000000F001}56281736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DF7-6136-BE06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1DF7-6136-BE06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.987{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DF7-6136-BE06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.988{FFF7FB96-1DF7-6136-BE06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.971{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B884430A950EF0652F008C5C870173,SHA256=332576604841B32EA9C68FC18681EEFA2586994704DEB8DCE3998518556BC12D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047150Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:07.905{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DF7-6136-4409-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047149Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:07.905{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047148Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:07.905{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047147Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:07.905{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047146Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:07.905{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047145Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:07.905{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1DF7-6136-4409-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047144Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:07.905{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DF7-6136-4409-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047143Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:07.906{323FE7D8-1DF7-6136-4409-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047142Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.343{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51859-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000047141Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:05.343{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51859-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000047140Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:07.274{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AEBE5FAD4E7E72167FD7E666772E30,SHA256=FA8A22DF9FBD6A3381C78455BF66B55BF4DA71997024E88EEB4B980CCCEFDDD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.869{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.502{FFF7FB96-1DF7-6136-BD06-00000000F101}2784932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DF7-6136-BD06-00000000F101}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1DF7-6136-BD06-00000000F101}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.315{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DF7-6136-BD06-00000000F101}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.316{FFF7FB96-1DF7-6136-BD06-00000000F101}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:07.018{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=408C711B7F0A3BA107C9CFDFA6015AA4,SHA256=F3DD1301F2B4C85AAB5C626684FEFDA7C503BD5B6C5CBC93C888E52FBD79EF2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DF8-6136-BF06-00000000F101}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1DF8-6136-BF06-00000000F101}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DF8-6136-BF06-00000000F101}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.659{FFF7FB96-1DF8-6136-BF06-00000000F101}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.346{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A2E65BA3F993C57CA204497D413CC4,SHA256=C7C6E548914BD6E0E5EA3BEE41E5F7C991B876801D1C3CE89F4E731C3F049330,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:05.979{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:08.143{FFF7FB96-1DF7-6136-BE06-00000000F101}2692516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047162Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.952{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF31744564700F05ECAFDF259507FEC3,SHA256=E9A561D6541C1B819B04A10A76888AD2794DE9EB5209B44831E32FC4386C64C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047161Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.721{323FE7D8-1DF8-6136-4509-00000000F001}58164044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047160Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.521{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DF8-6136-4509-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047159Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.521{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047158Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.521{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047157Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.521{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047156Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.521{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047155Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.521{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1DF8-6136-4509-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047154Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.521{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DF8-6136-4509-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047153Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.522{323FE7D8-1DF8-6136-4509-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047152Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.289{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FFFB074861117C9FAA4FD7024242C4,SHA256=CE3E998070E6A5AF4BBC13703B7D4AADA9DBE5F370E4FBA3E7107166A3E6F901,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047151Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:08.074{323FE7D8-1DF7-6136-4409-00000000F001}17006864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.752{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7AEC6831F2B761D15EEF0747C638A7B,SHA256=109393BC84114DEDF52709563852B0FDEC5DA7E60EF07FEA21C6A20DAC1B6011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.502{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA341539A305BA721A55640A8D776BAC,SHA256=5FF2F2293EBF31FCF6B326EACAE5A6F902996F15829D6D264F768E0ABBC990A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.487{FFF7FB96-1DF9-6136-C006-00000000F101}22761472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1DF9-6136-C006-00000000F101}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1DF9-6136-C006-00000000F101}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1DF9-6136-C006-00000000F101}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:09.331{FFF7FB96-1DF9-6136-C006-00000000F101}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047180Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.805{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DF9-6136-4709-00000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047179Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.805{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047178Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.805{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047177Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.805{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047176Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.805{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047175Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.805{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1DF9-6136-4709-00000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047174Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.805{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DF9-6136-4709-00000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047173Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.806{323FE7D8-1DF9-6136-4709-00000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047172Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.352{323FE7D8-1DF9-6136-4609-00000000F001}55283720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047171Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.305{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B44CD7D99AD97860DAEFE5F4E5F9D81,SHA256=63C1A837B75C475E6F90F16FC09FB195F6F0D132E4DCEBF32E6FE25085C81DC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047170Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.136{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1DF9-6136-4609-00000000F001}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047169Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.136{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047168Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.136{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047167Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.136{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047166Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.136{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047165Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.136{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1DF9-6136-4609-00000000F001}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047164Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.136{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1DF9-6136-4609-00000000F001}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047163Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:09.137{323FE7D8-1DF9-6136-4609-00000000F001}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:10.346{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D5DCACF7150701958148B743CD2801,SHA256=D6A42A4542222657B2ED67EE62D787FCDC942618F463F741E1AA614EEEFE0DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047182Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:10.320{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E9A3F62D338CECC9DBFD438FA5CAF7,SHA256=39FFDC3AB5B9565AB2C12333C7B6CC24AFFDD7EA7ECFE7BD170C8CFED22F5C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047181Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:10.151{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58990C0C44BE745E8D324CB1A330381B,SHA256=D6893F5A7AA16FD091DF038E801DCF6A331894EC63702B21549DE997B3EF30DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:11.362{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5612BB2089BBFA88B9D333830BA513AB,SHA256=6B6B6C18C1E1386A6A42C94AEA99F95DCC278BD38E988000AC9EE4F9958F4FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047183Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:11.335{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A2956F27C54856968AB504E9C0F840,SHA256=D793C77DD98B7B8221ED0976B5658EC2EB7C798231D294F17BB0A396C7977AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:12.424{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5D6D5FA67D3B8370E7DADC0B908E58,SHA256=3A0A270DFBD4F6669C472B50078477B29669CC0900AD2AD83A71597B281702C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047185Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:10.711{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51860-false10.0.1.12-8000- 23542300x800000000000000047184Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:12.368{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49839E6E8F2B142D7F994BFEAE7855B,SHA256=65B14580D7ABBF17601EB121ED2937AED1290E7B112895196B144288A500E55C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:11.901{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:13.424{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4FE4FCB1CE37708C9635DC39F64904,SHA256=35A99B41F82ACDD16E3B60EE4E727300A139B43F0639DBDEF64008B88E9BECA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047186Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:13.387{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3785DD2EDF630F8EDE94F51AE2EB3D66,SHA256=8135AD8FD00A02447305345E8FC7EB87DEDD9B14619829DD7C58AF0BF17430C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:14.440{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8EF5C5DBB9DE78579F888BA788E005,SHA256=5A5BD997D3F004C19916C40314DF8BC4FEB56ACD009A10A66E5FD0AA839B2BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047187Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:14.402{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F872B6C16061D4FF559F822ABC2132D4,SHA256=1A15B71FDB1C0CF2EA0C147A3F0E924FE230FAF4309ED85EDFA241A8C6E5DA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:15.456{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68ECC52FC633729965B6874BF2000B1,SHA256=64F1C51565AFD01E533B408E7C77C719C024FCCDF42FFDC860A42EF5EE8BABC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047197Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.932{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=289F19CC53E82A53A7E3725AF53E7126,SHA256=BB55D85D3AFC8649DD65B308AD38969CE44F04EDD12284524EB390F4D8B43592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047196Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.932{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=2B0EC65816247410D53E55BFA7B8E204,SHA256=DE44B8FDED0A6DE8AC55F79CEBC67FF4909713C10EC5CCDA29CBE8FB8DBB90B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047195Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.932{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=51E6C38C8CB8FBF638FDDF40B1B88064,SHA256=B5384852D641238D70E66A45957A763240C24F72376D15E468E1CFA710F044EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047194Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.932{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=0DA644FD89B3BB1AA76AFCAD98F782E9,SHA256=1A0E841A9D007442D7C06F1C26A4C93A26382B5E8F2F3E4F4E8751AE27247FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047193Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.932{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=A5920820895E5188078C8004FBEE93E1,SHA256=DF95F6AAE226648FE06ABFC04281937D944E6BC40BB1B4AD908A6153A367BABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047192Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.932{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=8DE7DCBFC23641A84C394CD74D9D760E,SHA256=4B662FAA8457CBE1BD88500306066EF1F85A566D284E4CC3D99AFFE54ABF13CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047191Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.932{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=10FA3765881E545D94B9DF064675CE3A,SHA256=7E980D93A2032E51B9A9FEA73E44107472A7CF7BED11A138F4A87F4739078D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047190Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.932{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=00C52631FBBB63915C72D69548BB782C,SHA256=D7B9102B0E9A96298243AC54678651F0C639EFE1F353678404357E427319D65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047189Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.932{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=5451BCCCE120A0383127C15FC6EDD14B,SHA256=30FD0B26603F03DF0EBD1023AD3B868804BB1AD36E2A31CC20CDFBDB8BBFADA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047188Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.417{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5D367EDD6B1FA38A238F908CC123D5,SHA256=BC944FE040521FBD7C4AF143E5B7C15DB519BCE971D47A0FF8197E0BBC564A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:16.471{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95F9E3F57E639B8E70ABBD50B01FF20,SHA256=746B01DF20FCFD5E71A7B31BBA27024552346D21BAE79266F5F40051CE1AFFE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047198Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:16.432{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E294489A9C8AFEE3198945C6C12BA86A,SHA256=1F904FF0399BF7AB98E4E7628C90E85BD5EF3856AABF29CD03EEDEE80770633E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047199Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:17.447{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443C51EE9AE08DCB4C58CD64BAEFD156,SHA256=72DAC2D397D9ABD6B5582C5EE31A175E6BB4F985A7D17C0BAFAC26DE583D11AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:17.487{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2304E8737906CA93379774DC8C2349F3,SHA256=2EFC277653292C2D70DA1C4560E7D0CFA7E67DC08FD06D46E35D78580ABFD51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:18.487{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4E6966F1AEE03E4BACD50AAC161BF7,SHA256=0D023D29652AD64AB1DBCBD2393BDD1F26437D3664090AC878359178CA1CA239,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047201Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:15.807{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51861-false10.0.1.12-8000- 23542300x800000000000000047200Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:18.464{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26015CAE67581AC492076FA64496F160,SHA256=B8B089D0CCF8052426E60A38065450E007693897B90776BB87E98BBF54E8E752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:19.501{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15326944A319B63B4A76DAF226768CBC,SHA256=7C11C699DB71ECBDDA8BD7A9096A93C4F3D5AC52EFE617074C11B7EA384E4EAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047205Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:19.768{323FE7D8-053B-6136-6E02-00000000F001}44405196C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803046D18A8)|UNKNOWN(FFFF8659940A5B68)|UNKNOWN(FFFF8659940A5CE7)|UNKNOWN(FFFF8659940A0371)|UNKNOWN(FFFF8659940A1D3A)|UNKNOWN(FFFF86599409FFF6)|UNKNOWN(FFFFF803043E9103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000047204Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:19.768{323FE7D8-053B-6136-6E02-00000000F001}44405196C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803046D18A8)|UNKNOWN(FFFF8659940A5B68)|UNKNOWN(FFFF8659940A5CE7)|UNKNOWN(FFFF8659940A0371)|UNKNOWN(FFFF8659940A1D3A)|UNKNOWN(FFFF86599409FFF6)|UNKNOWN(FFFFF803043E9103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047203Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:19.768{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF6ccbde.TMPMD5=4F8EF1C2D0CD074D7EF5CBE84B3E29E6,SHA256=5DAD2EEF2DD790596120355F9CB5804457452E6EEBD4F53B0DF824C4CF2242DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047202Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:19.484{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD73AD16DFFC818D9C9D89DBB521C68C,SHA256=7C5E80E2F3F656B2FC41393363FACC9C95676DC73EB4C415E9AD7633AF4343AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:16.932{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:20.564{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0962E1A9E196565495C9B98EF1DD1CCF,SHA256=1381C5CDEAE5F055C4AD4E355B45CEE41028DD4633CFF1ADF7DBDF85D29F7781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047206Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:20.499{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13610EEC1CBB76E23755410054F2D840,SHA256=AF72F2689A4BC42C6F65CB083F9FAB710F60E384B26B64B0FB2C8ADAE8F29A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047207Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:21.514{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BE78273A07CE3A2E0C27241649C7B7,SHA256=28AF63F6C9F86FDF7ABB9E1732FD1A7825E30CE9358B2B4E484AD75C727C33B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:21.579{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C4FDE11E4EF8431E28C5F7360B8627,SHA256=80C37E15E15F2879B76BE59B560E77316D1773F0DF2BD3B87498A03C48DE8F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:22.579{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8450526CA8985F88DD315070BF9024,SHA256=ACC4E10CDBA42D8C5BE94619B7A07AAFDDA541D4748505CB544CF3D2FCAE4979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047208Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:22.529{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3066FB82A58D91274F0784B73BC59A93,SHA256=21956F99666B9F3105881E6343E9F3484EC25A8CD3E44A52ADA5750EA87A09AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:23.595{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853FE130C4F7942FF449BA3E2FB607C4,SHA256=58999EC8159B59A46996772FAAB59D17065285E96F016A9AE8FBBC434F4B896B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047210Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:21.836{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51862-false10.0.1.12-8000- 23542300x800000000000000047209Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:23.544{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3C8464A20784F535D8B5B6D12A142F,SHA256=8FB12322212088526DA9B208E26CBAB27402E5C38D6844E2998874A90E22D2B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:24.626{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF83A8154EDA9A8052278492121C5E8,SHA256=CA205CBB8E5DC1F287A04513958D1D08B00216B74455CA74977EC055CA653209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047211Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:24.562{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F85785D5AFF0543720345C2751E6767,SHA256=ECCA6F2C7042E9330768A147499D86777FE48570A60105C6D9BF216B8AD0333A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:25.642{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7A7F7F7951E63A436A3E7467941232,SHA256=EB70F186903D6CACEC46FC2E167D6832C27D976BA153EDCE708A26EDDDC9D22A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047212Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:25.583{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEF2DB3DE7A449847E33468040E3789,SHA256=2A2A2E27F7A664F8442D111218C532A3FEF966C91AD4DD315D92EC4CFA97EF81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:22.946{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047213Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:26.598{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15DC63C9B88C7476B0486D00B04E3D1,SHA256=8F4B127C7C2B306CB3D0C4D160A96E24B1A78482BB6C3DADB7F9120C0A74539F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:26.657{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9A494C00A78B76FAE74BE16EDF783C,SHA256=FCD0DA39ACEDC50FD4FA461ECADA282A2AF636E1CE53BE70BD1D7D7F29BFCCEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:27.673{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074395EB5B49DEE8FBF8029EAC2A5219,SHA256=0E6BC1E11D03AB1B447EE71FD1BCC8D317112D8C567E2418AB9D1696EA2B10E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047214Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:27.614{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5944D185DF0D427C497818C416E12F45,SHA256=9E3521ECFBC340A263C22AF80B1DFB89B9A97C8079CB0C71C6B169674B593538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:28.689{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB3A03941D0DF5EAB9DE42DD623B222,SHA256=3040768B2AABE2C6CB402F35C90E2F075A7228C5FE178E7A9E532AAB787CD2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047215Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:28.629{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62989D2C0CED801579AF163149743AC0,SHA256=38D95FC74B6E8E3F336A009C9347A10F1BCE1AE7618F312D2EDFFEA45D7CBC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:29.689{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93AFA76C2456D2C3BCACA1B6482970F,SHA256=A61EB7987D19683056D0D9CB8205E7B6D01535EEAB424EEA5BDD4341313161D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047217Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:27.689{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51863-false10.0.1.12-8000- 23542300x800000000000000047216Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:29.644{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CB084C654DC97250913AC366E5AECC,SHA256=95188CB6B199FC2FAA2C261034188A7B6755B8BF6099A58911EBBD20E46D4452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:28.040{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047228Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.982{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=CE7970952365A3E185CB6603BA98379E,SHA256=8C5B6210890A32A133AA843BF803C70E9FF36C2A521DB0FA1985A9950C5189FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047227Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.982{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=702811F56A85924162E2A4B42030E475,SHA256=F5E192A39AA69B079C0416B1D87297D9A5B8CBE055AD09D4C06D86D500D15F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047226Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.982{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=F00DFFC79AF32E69017EB0BEAD8053AE,SHA256=389BDF981D2E9010A59F01958BB9CAC395A0B0CEB0273A3AA96FEA27E1A4B385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047225Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.982{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=EF899931723A0ED309D19ACD88ECEC77,SHA256=8F93D4DF64F1CE556C693C3C8913BC62553C043352E7E931FD9B5C279120105C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047224Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.982{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=C681C6504320633C0DB609C7E6D93305,SHA256=9B8016DC56CC6FFC9CC500ADB0B1D23F830360FCEA36C16815A580ACF1880915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047223Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.982{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=39D98DFD3544FBCC8C076E1CFB26C9F0,SHA256=6C8FEF6672E09ADF976F057B7BD88366E7FAED772B79B90E583216D79163887D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047222Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.982{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=59F22A1DE1DE2A7608CB6A508392CD90,SHA256=4EBAD924DF03F575DAFBBDB0691C62163645E5FBCC206A749745553CEBDBE5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047221Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.982{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=28AFB41C5A94256A77BE14CC7F084C89,SHA256=63660D5EC4856D0479F5EA738DE4A0146E204190209C8B4D886E61AE2F317F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047220Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.982{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D1039C4185224BED7E6A0EC770D12947,SHA256=7DC5C86B4BECFA31E92A31EC6F6F05A4FA3741260CC7DF7EF89D68F91A26C38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047219Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.645{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7F2AA1CEB6CBAC28A277595734122F,SHA256=E977F7D418B3BB4A5A8C4B3AEE6ECFA3CC877C35F1031F9E7D1F3A2663D21501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:30.704{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764512460DFB4A1E0265E3FF5CEC178F,SHA256=B365503A1C43245685C07FDFE0BE6DCEF038B0F3D8297BCDFB8103296DBA29E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047218Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.582{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047229Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:31.664{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC23EEBF315B212CEE360ED61ABD4344,SHA256=EBAA97F654DFAA75E4912ED73A9CD26BA063D247B4A164C2998177E14A36BD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:31.720{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5BA41B9E44A42101C539F113D26DE6,SHA256=54E0AA7424E479F47D81E33C5BF1949BFE7C1575C3FA4D6128D756EAF216589B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:32.735{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF941B9C87D2F58F32D82BB8630F044,SHA256=5B70E9F4932DDECC5438D2DA2E2501EC0843C49EA83497EE592309228DC038C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047231Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:32.696{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE72DA93370AEFD8D55572BEFCD61BA,SHA256=3E6357F09627FB53DBCE1D26A937E13768EC23231342375F5E75BBE8A43AE2D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047230Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:30.152{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51864-false10.0.1.12-8089- 23542300x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:33.751{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC1C0DD68FF03A779D73B3696A37808,SHA256=A4C4B8E30190613C331755B9CF354D19CBBC2D26CFE707D2FEC1D14C228E2707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047232Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:33.727{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D3F5CB904E02B4B36468D0C40E1361,SHA256=5739F2E5078B743833A9F5984F088D168946E677E6357D3AE143CED8650896ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047233Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:34.742{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C043755F61C696462012D7CFCF54C100,SHA256=35BAF5C0C6F6C026FEA25A21DAE1841EDCD27D9E984F5EC15C5B6B17BBC98DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:34.767{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32755EE3CF2F8E59378724B56A10172C,SHA256=1E2E08114769D28FD754C540DA5CD74EA1CE0764F280625D8E432FFEAD689991,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:33.087{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047234Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:35.759{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DC1420C0FD28DCBC9BA3CF2FAE9C65,SHA256=C8063658B4C92FA41E3BCF5D74276782306F2AA14AB172F5370119E5DC1FA0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:35.782{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC32A4434401EBA0EFAD1C05C235D148,SHA256=559492518BBF8DDD93AD7AF280FE6EFD3EACAA16B4B45B66CAB8D9CEDE1A6291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:36.814{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1C323D3EC95FF801EAF3B662952AAF,SHA256=C6583C36BBF1D9F9E6DD22CD49E30C77D52BD84C238DA5AA5A1A43C6F25184EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047237Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:36.778{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DBF992E728723458E2FA684C0CCE56,SHA256=E756E9C498F79D831A1C2233BFADFEADC8577FFB6BF0D6E0C7098662A6A078E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047236Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:36.357{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AC271F327A09BC771FB22C55A36C5BDC,SHA256=B53DEFFDAA5A0273013E6F235029FD5135A0D4D79E75F4186C2AE6E2D5F4CC38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047235Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:33.687{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51865-false10.0.1.12-8000- 23542300x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:37.845{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6C0C3CA391866CBC058950AC45A001,SHA256=3426BDFBF44BBB9DCB5179E8DCAA565B546BD5235C7A22516A375EE17608DC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047238Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:37.779{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EE19B8D1FC3F02E5F7AE3FD6D3BDD6,SHA256=01A8A98896A9BDC72FA45E070897F8D76B8A337B8A22FCB4A9EB5990D123893C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047239Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:38.794{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE614CB4225B6D9980148B716DFCC18,SHA256=CD2403865175B5A948379344A9AA0AD1A3EB2FE98CB8E6C79010D5FE427B1F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:38.876{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEC8524F4C3DD6C2EC48377608E2A60,SHA256=7BE4D165F578809D4F4AD5029A7585E157EC12848EEF775FB91AABF42C582D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:38.473{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-107MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047240Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:39.809{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE8C7CEF12D86C6DD08566CD19AC8EC,SHA256=022DF1EF66C1450767972C95E9BAAB94993E1701323F6421314697B77C8885F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:39.899{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D1F08B8C29DF335778E8662FB8C5FA,SHA256=FB829D1E386127B39007C5F83AFD7EAB8D3E3D6977D943DF34F3D6DD50F931B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:39.486{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047241Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:40.824{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF73F23E30EBD26A3916EEF3D2A2EEDB,SHA256=00E893DDD857DAEB54B44C694B42D52FC1E9D1F47C86B6469A03C97D8D9A51E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:38.899{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51084-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:40.902{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952839625F5EA815FFB85F8E2A9B4EF7,SHA256=9AB6E40162C6CACE0F682D9C63A44FAF93259475B0365A2D67C931A77A690179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:41.902{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DEFB0E7B6BD665364E2FC2FF553358,SHA256=C52653E5B116DA7371FF7409D08B5FCA78BAF55780A92E4A4C2DD3AA3B5447F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047242Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:41.839{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF26C659B906E368481F8B6BE59A575,SHA256=BB8F259556565FEAC379BADF6B457A9328295CF26400E7AB810974404EA5701B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047244Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:42.857{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C11006E64409F05DDFD19FEE13B335,SHA256=74FD353E890250A18F24997D600464A51ECC56B7F527DE636D91C49E013C0B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:42.917{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA45687B396714C12FBE484E56AE655,SHA256=A01AA6C808F7A7A9ED94427B89062D496C6EC3C724E796DDE4A89C784AA9099F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047243Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:39.700{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51866-false10.0.1.12-8000- 23542300x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:43.933{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B9956D67477F25228ED9EACEB5C090,SHA256=3C2F63C740D9CB2D7F90C39FE8E092CD46C94693E5DE62C2E726665561C33FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047245Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:43.891{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BD647AB7FE053F0D42CA0AED1CA74E,SHA256=F7A7DEB2984CBC7008EBBC370B21C5701C3D4DCAF10A5F9CD485F9D5D1CA9457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:44.948{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45EAD79F835AB5883C8FB9438882E4C,SHA256=7658D874147D79A0304CF5800C2D13041C6799D25D692398C5650C05AD89E2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047246Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:44.922{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD67490DCBF0059B38BB5BC83F6FD97,SHA256=D02D2ACE26FACF6B01276AA99F39AC476362BD935A4D6209B5107802A1438B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:45.980{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B475BA2719ECF8F972482BAC28F7B61C,SHA256=328012053422D3E6EA957A1F827FD4642134FE344546943FB8922F817BCDB347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047247Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:45.937{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EB187FBF5B4D883EFB0B4A94CA706A,SHA256=D2E17CDBD1F6343372C44323D06F88A8B79B292AD363CE84C43977A69416ED87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047257Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:46.958{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03D446EEA88516A4015825C9F5CB0A8,SHA256=A79A6EDA5262F14E2DB09F3E574CEEB12E4270D49D5CF3406A6350B020B77F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:46.995{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A1015EDDF51D7A044DA614EEB1222B,SHA256=5C3174D1BD91224E3CB30DD6663C99B067F5C13776F86E592BF574A8CF8EEF04,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:44.893{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047256Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:46.037{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=C7651C0EC98035F76CB1C057FBF74D60,SHA256=373DE1930340035E501F62CE43727E07A56ED8090B95C2064817D420377155F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047255Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:46.037{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=01601B2D74AC3F60EC0949C08FA50D4D,SHA256=A21A681C26D890D95CFA3DA33CAAC7CDA9931BA834F934556E1B65F95EA4A828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047254Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:46.037{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=1431D04148713980CDA8E6A67F6035B2,SHA256=A0135F585F648214F99301B6A9FA51BB39F4C20552C436822DDEE2D37D9375A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047253Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:46.037{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=BF840681869680D65796EA3E2ECC34F2,SHA256=EBC35FD7C5227B7C87E08D43CF978A9130C21EEDDCC0DAA7519238725B908C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047252Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:46.037{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=0E0926AE5699BBE75460C6080AB999E4,SHA256=7C08034B0C45CC47E47F895064E5AE9F7DC4AA8B54702C31C73CAD77890FF667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047251Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:46.037{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=8C3DFD19A4530F59EFC24F21B682FA6E,SHA256=4C738ECA024719AB5BF999783A918BE431C2372F5FC89D7A2E76216EB1C9B88B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047250Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:46.037{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=3B38F1C4B9AEE7B78CD5639AE0521278,SHA256=4ABD7E33428E12290692C9792DC08740C561D26898CFDDA7E5C1CBFE4E84D85B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047249Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:46.037{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=7B5AC01FE6B1150503FEC452C1379ABB,SHA256=31311F238C4D5553767DEF67150F23D424440A4FB4636B34B42BFD1B8716FF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047248Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:46.037{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=315C9E6B64CDB7022CB8A2BC397C69D7,SHA256=C0D434CA9812D4E1D16AE700700AE758B4CB3456EED0E21A65D7BD515D72943F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:47.995{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49F83F67D80C84CC3BAA77C56EDF3D5,SHA256=FE15AA12324C620532CDA28E3BCC1932BD8F7F926C76881CA65A5EE72A17EAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047258Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:47.988{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBB12ED4951BD58DDC5536E22A0488E,SHA256=AAAB756F8764CE3AC080836C350BA569444DEB0A726F4F4C0CEF052A0AD8EC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:48.995{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A1748117C0E84D79FDC29BE2D40F5,SHA256=33EB2ED97C33544D2DDF3F120BD3E47B10AD9F23ED7CC91CDC2FCC60AFDE67EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047259Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:45.697{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51867-false10.0.1.12-8000- 23542300x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:49.995{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F121320B60DB3025E61B6F8C59FB5D2C,SHA256=3FCA617AA347BEF3BE9AE6E99C26E394E26948DF5F8998D5A0D9BFA6905BD325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047260Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:49.019{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC5A78EE6FC2C48895A4B09C0E3BC7C,SHA256=194E631EAFC053776B35B1978782859D1CCE59A08BE9ECBA42E37D0C18F7A9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047262Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:50.237{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-115MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047261Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:50.034{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE332DB4C94BB257A85D23708F647FFB,SHA256=09A0EC6EEA873075B9EECB60FA310F9548F758FDDE066950B802277CC213473E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047264Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:51.250{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047263Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:51.055{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1289D3A8B0D260F54AD791DA75388A8,SHA256=2F31C7C7E56B8FBEB21BDD9CC0019DD82AD8BDF6BE6E15A5B364D232BA7D16BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:51.698{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2A6ED38ACD038803F9E487A6A800473A,SHA256=60FE9F2C140281F570C651B421B479D5027B86B0CC45BA89DB4F738D62303BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:51.027{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06617FA48E2D46BB2A0DF9E24AD6B19C,SHA256=0F1E7050C180AC6841EF66D2F5EA502B249A3B748FE3D9E4DEF787BA435021A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047266Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:50.725{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51868-false10.0.1.12-8000- 23542300x800000000000000047265Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:52.059{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE3303AB29487BC9E7A97A6753D08CD,SHA256=ACDAC5E7C2F8FBBA8339899AAC561BC5D9FBAD31D54BE4AAB9EF5F2DADE13561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:52.042{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA59BB27525835BA330AB2269BE70C9C,SHA256=B0E670B049E4438EF4D8DD24D7637A4D72F5D14346CACAA70BA42370937C9544,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:50.925{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:53.042{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454659D7237A8104F7C831E7085B361B,SHA256=88B7D21B54DBEC75B4384B419291BD9532CDDBDBF35B5F83BFAD1E958F59F671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047267Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:53.094{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0476301BACB8BB6E4862953B961740FB,SHA256=6CDBDAACA380482ACBD8C13768F64EDB4DE29789251E7BE19B1264C930C3BA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:54.058{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB0E91AADFC58EDE4F28D33DC4880A9,SHA256=78C894A074A4E0BD5CA9F81C56445F764EFB05AF1C00BAE168A3F60D5B2B3CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047268Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:54.125{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A57149D5E80E4BFA0D7C4BF845AC5F0,SHA256=96FE50A44CC36F3E5796B0BDE5DEB0E8D573ECD7ACB07998C01B8A4282F62453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047269Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:55.127{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A185C5915DFE19C00C42345B0EE9D1,SHA256=54B6FB78F48C18412D9F96D9659D2FDB7559E54278A74E2118D25897E8882ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:55.073{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF145DB7BB0AD057874FED6EF0DE7FC,SHA256=C37ADA7CC3271A846AD9DA9444E43111BD1AD38D33548A1D54E63B689755EF7D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047271Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:56:56.729{323FE7D8-022E-6136-1100-00000000F001}492C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a327-0x0e285c22) 23542300x800000000000000047270Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:56.128{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB44AAC57170C98B1E439547E27394F,SHA256=86DFB215F24F9C7336215A1FC82FAA6BA79FFD3703421D486F4A40B5EB259295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:56.089{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD93B3E44DAC2755F2CBEE75742015F,SHA256=2BFA4D4B9BF2DCD21DD18181BBD203E52D0E17D72AC5B91585EE9BF1818855DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:57.105{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A124B39AD349A85BCCDB0EAA2B0022F4,SHA256=7D75AD2D24E999AA7282B0B44559F8DF1A5E020067D51325EA90CC79E817795E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047272Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:57.129{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C805BC193D54EFDCCD86CA5E376685DB,SHA256=98B03B627A43277BD38E058D3C957B3F8092C357E10E056AEB7D052BD657E492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:58.136{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9C7AC5D153A7C7971AD69D86DF74C0,SHA256=E088692CFFD6DBA2D46D7965AD4656CB4B777CD21A2C6E7253248E7AB441010E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047273Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:58.129{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B813F729B14264FE1662924BA95668D4,SHA256=5CD59E5ADE7F27406C7C47BF7C7809EE98B0D1DD3AC341FB9AAAC1B8B77EE461,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:56.909{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:56:59.136{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73C1E2A511B93542CE117A5CD41DF63,SHA256=4DD6AC04165F8C070FBD05089A0EF0356C2157E64C94A6C8B447C5EC289A9F27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047276Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:56.736{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51869-false10.0.1.12-8000- 354300x800000000000000047275Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:56.304{323FE7D8-022E-6136-1100-00000000F001}492C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-456.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x800000000000000047274Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:56:59.162{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFF27CDAA325142D279D182DE76CA29,SHA256=6FD7B047C457F51CA6BAA676A13D96A9C755E720BF4E1BE49AEFCF088419AB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047277Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:00.197{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9AC47FEF053742AFD1B838037532E0,SHA256=EA38D818D4A6D0AE9F66124E5F6CAA53AA348237B5F293594EE13D36762B4233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:00.137{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB2ABD8A7F1D09A1E568145D8E8901D,SHA256=DA1CEBA31AF36EC7666D565B37D639795C9DBE8C11D6BA1368465342E2079B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047278Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:01.212{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB36008D4CEC3B9616A64D850390291,SHA256=06C8357A1F55BD853AA0A95A45774BC033AFA37DDBFAFCF605896263C13123FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:01.168{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEE4124B8E343397118434EADB033DC,SHA256=7B3FB6E6D960D088719C14F3962579FA70A5EBCC551BABCDDAD1E6B6C424AA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:02.184{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65132E5B41DA968A17C5D43D65DAC48D,SHA256=3BDBF35C1F0B7456D3F4E2A4881A6B591E98EDE371EF52B36AF75DAE674273F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047279Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:02.227{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA43AF3DFB81961CFEA71BD0F96F0884,SHA256=BFEF50A8D1AA93DC21F6ACEC4B90B55BFF1DD14B19F501FD0390C33E69F653C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:03.184{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA02DEBFF1E69A7FFF3AB769DDDBD642,SHA256=B14BE7CB2AC4F22C7C9027F113CB92ED9C0719D7F08D9A76870550CBE093326E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047280Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:03.260{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0890E8761143DE92FF49DCD335138A,SHA256=3F6E05A50C6025A6244D2E248B318BF49E250491ADEE6E9B573C099C142A394A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047290Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:02.749{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51870-false10.0.1.12-8000- 10341000x800000000000000047289Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:04.441{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E30-6136-4809-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047288Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:04.441{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047287Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:04.441{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047286Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:04.441{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047285Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:04.441{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047284Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:04.441{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1E30-6136-4809-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047283Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:04.441{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E30-6136-4809-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047282Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:04.442{323FE7D8-1E30-6136-4809-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047281Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:04.279{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1683D206BB6BB2ABF2CEC16FAEFB42BD,SHA256=4CA27D220F17808FF81BAC4B27C12D5C366EEACD9274A7D203AF6C1D453DE129,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E30-6136-C106-00000000F101}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1E30-6136-C106-00000000F101}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.699{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E30-6136-C106-00000000F101}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.700{FFF7FB96-1E30-6136-C106-00000000F101}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:01.910{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:04.184{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DBB99DA8761F1E7CBFB817E994292D,SHA256=09E6C25EE91ADBD146A07EF0059ED09357C67E843C84A72F76440DC0A01E5EE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047310Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.779{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E31-6136-4A09-00000000F001}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047309Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.779{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047308Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.779{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047307Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.779{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047306Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.779{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047305Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.779{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1E31-6136-4A09-00000000F001}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047304Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.779{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E31-6136-4A09-00000000F001}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047303Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.780{323FE7D8-1E31-6136-4A09-00000000F001}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047302Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.442{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56E4383F6A5CA58DC2E1CECE9C8C0399,SHA256=D5962E24D04A3FF2673506087CE767F5C31CC9145A06104E95B967CDBFBC4963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047301Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.442{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26B0621BEE05E504EAF8B40B9AA954E4,SHA256=2FE44E351F8C92128321341D08244364495701AD236766038E1065EEEA72841D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047300Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.326{323FE7D8-1E31-6136-4909-00000000F001}6964628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047299Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.311{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A08CFC5BA8F0984C1F8833B6395DA40,SHA256=66233AFB0BBEC7D6C2488183D18187FADEBA3103145FD9080EEBC392DA9334CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E31-6136-C306-00000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1E31-6136-C306-00000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.824{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E31-6136-C306-00000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.825{FFF7FB96-1E31-6136-C306-00000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.762{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAA41F91ABB51EDA5951D82CEFFF46FB,SHA256=4786CBC3627F0C60E1005CCC43EAE44596C07A241E67C27C22FDC527980986EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.762{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1052F889336EBEC3DB886F09DFC7EE8,SHA256=AD4835AA9D781A305A0678F6CFA4A13A65A6A994711216D29DA8645F08F7CBD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E31-6136-C206-00000000F101}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1E31-6136-C206-00000000F101}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.324{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E31-6136-C206-00000000F101}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.326{FFF7FB96-1E31-6136-C206-00000000F101}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.199{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF4C4744AE5930B08402F7011EDB79E,SHA256=77F642B02B098D2663582B51B19BDB9F00A6DC2F9F43D880275D637B441E6560,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047298Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.110{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E31-6136-4909-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047297Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.110{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047296Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.110{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047295Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.110{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047294Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.110{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047293Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.110{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1E31-6136-4909-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047292Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.110{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E31-6136-4909-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047291Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.111{323FE7D8-1E31-6136-4909-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:06.840{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAA41F91ABB51EDA5951D82CEFFF46FB,SHA256=4786CBC3627F0C60E1005CCC43EAE44596C07A241E67C27C22FDC527980986EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:06.324{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C318534444AA95C61D33FEF794924,SHA256=25684ECF1E9B3B466D37EE5755D374B91C86C4B94EE1ACF4EFC44CAF166AC442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047312Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:06.794{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56E4383F6A5CA58DC2E1CECE9C8C0399,SHA256=D5962E24D04A3FF2673506087CE767F5C31CC9145A06104E95B967CDBFBC4963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047311Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:06.325{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D544B38FEF73F72BEB11EE66E2EA5727,SHA256=CCCBD1E91DDABBB448F6CBE9D3FA54D379547EB410E6582846CCF95176ED29B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:06.059{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:06.043{FFF7FB96-1E31-6136-C306-00000000F101}24402888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E33-6136-C506-00000000F101}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.997{FFF7FB96-1E33-6136-C506-00000000F101}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:05.894{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.480{FFF7FB96-1E33-6136-C406-00000000F101}16482324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.355{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2292EF88C600C74E6C987D8C123FA2B,SHA256=138EE0409F62D0637CA7497C5B3A33B73C32439586352486A1A289F7F070F9E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047323Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:07.924{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E33-6136-4B09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047322Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:07.924{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047321Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:07.924{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047320Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:07.924{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047319Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:07.924{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047318Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:07.924{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1E33-6136-4B09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047317Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:07.924{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E33-6136-4B09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047316Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:07.925{323FE7D8-1E33-6136-4B09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047315Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.349{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51871-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000047314Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:05.349{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51871-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000047313Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:07.340{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F32E3547291AFBB904CBD462E550D2,SHA256=66A2704D1E22079FF59486DC8598FD947ADF61F7E342AEA379DD923F623C054C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E33-6136-C406-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1E33-6136-C406-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.324{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E33-6136-C406-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.325{FFF7FB96-1E33-6136-C406-00000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.699{FFF7FB96-1E34-6136-C606-00000000F101}30203672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E34-6136-C606-00000000F101}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1E34-6136-C606-00000000F101}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.559{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E34-6136-C606-00000000F101}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.560{FFF7FB96-1E34-6136-C606-00000000F101}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BC0E7195C52A0A089D2516C5A8906E,SHA256=585A52580C7DB251F6F1103CABAFF3968AB26379FE00AE354DDDE30019A6BC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047335Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.938{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E531A7EC49C1330FB9D30EE76B99EEA9,SHA256=AA29E6D8A3F095D93F5F7A8A5D7E885C1B202F2D74A10044264603CA825168DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047334Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.790{323FE7D8-1E34-6136-4C09-00000000F001}3840988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047333Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.525{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E34-6136-4C09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047332Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.525{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047331Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.525{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047330Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.525{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047329Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.525{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047328Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.525{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1E34-6136-4C09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047327Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.525{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E34-6136-4C09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047326Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.526{323FE7D8-1E34-6136-4C09-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047325Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.361{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A80AB09F751CABD3050600D1C770C2A,SHA256=6725103A8386461770DD294718FCE8414C5FCF594B75939DB689D5B1DA40894C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.340{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CF31AAAB32188FED162DF7D43B19A01,SHA256=50F75145751BE15334165AB676D9577D8801858E78DD01D97AB76E36C07716AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.184{FFF7FB96-1E33-6136-C506-00000000F101}3696216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E33-6136-C506-00000000F101}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.996{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1E33-6136-C506-00000000F101}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047324Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.094{323FE7D8-1E33-6136-4B09-00000000F001}62403376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.902{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261B60C5555B13CB00A2FC8E2EC1B460,SHA256=FB7142269C98482226D3D064E14666DDC104BEA94B70947F7E0CD6849A3A7BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.902{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E943F1047D6D32872AE4E964BCE77C22,SHA256=73A913AA0C2F08EA063717F36FCC5DA9A80758A593557354EB7B998D261C724F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:07.926{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000047354Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.298{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56978- 10341000x800000000000000047353Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.722{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E35-6136-4E09-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047352Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.722{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047351Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.722{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047350Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.722{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047349Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.722{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047348Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.722{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1E35-6136-4E09-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047347Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.722{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E35-6136-4E09-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047346Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.723{323FE7D8-1E35-6136-4E09-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047345Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.369{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694892AEC15763303C5FEC535F6499AE,SHA256=A875E2A18D1F51AA7C4C2C628FFAFCA6FCD5EDDE95D23D15FCABAEF1AEF9E00B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E35-6136-C706-00000000F101}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1E35-6136-C706-00000000F101}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E35-6136-C706-00000000F101}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:09.231{FFF7FB96-1E35-6136-C706-00000000F101}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047344Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.254{323FE7D8-1E35-6136-4D09-00000000F001}71361700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047343Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.038{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E35-6136-4D09-00000000F001}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047342Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.038{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047341Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.038{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047340Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.038{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047339Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.038{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047338Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.038{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1E35-6136-4D09-00000000F001}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047337Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.038{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E35-6136-4D09-00000000F001}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047336Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:09.039{323FE7D8-1E35-6136-4D09-00000000F001}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.528{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-353.attackrange.local56978-false10.0.1.14-53domain 354300x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:08.524{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c880:c40e:829a:ffff-56978-truea00:10e:0:0:0:0:0:0-53domain 23542300x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:10.621{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20A4F2E86B571267614325EF6265EA5,SHA256=5636F8C165568F774E5F5F18ADA43E83985B9312E45BF3912E46B3BDDCEB1F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047356Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:10.384{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F613E95BC61999A40531BF0F6BF2D2,SHA256=3E88EBAFC8A0B657DC059B73BC26916A01D3D93F9FA6896210FE8E96B2E4876A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047355Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:10.038{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CC5E0A24FA722366C68D43F58AAE1D7,SHA256=D615CA98280CDF6D90024F66F40A60722530DB668408293874D94E3B455A07A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:11.652{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436D23DC1521C11C3CD043B85083EEC9,SHA256=85802DB72EB21DD5954927F04C0C366B147C4879857284F3033245EB71825B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047359Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:11.402{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32C9E87FB7951708069DEE402BDE776,SHA256=8B11BBD106EE17A5D5D43C1AF201E6E0144D136CECEA158E9719ADE91289F365,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047358Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.761{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51872-false10.0.1.12-8000- 354300x800000000000000047357Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:08.302{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal63651- 23542300x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:12.652{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C46483C973B563737EB7E743977061,SHA256=97C6089D49954D1EE214E4AE0661F4AA36E29963BF581A748614087189FFC9CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047360Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:12.420{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722312E7A138A34C3C7232925BEAD511,SHA256=85533FCED60C6B11E5C86FC555A308CD691F730D565610B398BA5B596C79F4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:13.746{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C7EF23ECB39BD8C876824F3C49990B,SHA256=875CEE20220512655A4927E260FED5059C27E2D8042641CF819439B1FBD1EB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047361Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:13.435{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C98A14EB75C062261F1A85D7BB7E4BC,SHA256=BC33DBF9E966528400EF491DA637EFBD22049B83BB0893C0FCCDF3EE07D9CC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:14.777{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FA37F84F7910071E4BE8C54CA5AF80,SHA256=5A5CA8C8266BB66CD694C893C28E1382F55F35D569AE0F88EB523286E03C80A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047362Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:14.450{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A1D908C073C6FC0480C9B5F8331516,SHA256=B44FDF20969320FCDC6D812396BE7BC5A004C650F208EDC1EDEF36FFF8FF51C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:15.809{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C86CA144AAB325D20A0559BD48E71EC,SHA256=535020C5B8EC93217B3CA111323986B44F04BA7CE618E68975F66913422D91A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047363Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:15.465{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106045C260D49E1C4C42EE375CC82BAD,SHA256=BE4BB58CA22E9F86702CF927FBC3914980636BB1B2DE47FD57119A8A94A0B599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:16.840{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C74364C8EA45BE0AA00F87AFEFFA0C,SHA256=5EA80F690C20A5BD86D0289EA6392BB0F864AA4D7A1A477312892A04DF434347,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047365Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:14.773{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51873-false10.0.1.12-8000- 23542300x800000000000000047364Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:16.471{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8B7753DBCFE7231CCCD9316483A089,SHA256=A000B268BB7EA01E2F7D784D2735758D10C4B41A42544FA1B5F94677C40E128C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:17.856{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863755D1D5489AC625EDEAD792437E27,SHA256=FF1AC3FD4DA7F3AD27AA16EC5557F5D906ED6DCB069EA50D8672A79D8CA3EFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047366Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:17.486{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAD32CA8FC112E3CABE4DD9D50D0687,SHA256=9145A92620B31498607EDACBCF42BEA63403EAA21E893B74B065208201975A10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:13.910{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:18.902{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97569FA382DE3DF179C6502E08E5E0B,SHA256=7279CCE2A680AF84D4100BE815FEB8D0DD9618884407A6CE169BC9A1864231E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047368Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:18.503{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCF2D9E25A069260916CB84469075B0,SHA256=E7FFF57DF91CCC432671F60902835AC31848109F0EB62926D62CD2B0D31F9256,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047367Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:15.478{323FE7D8-022E-6136-0F00-00000000F001}296C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.244.34.23-58918-false10.0.1.14win-dc-456.attackrange.local3389ms-wbt-server 23542300x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:19.907{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD57C8A0388D09B7C232CA0DE05AFA20,SHA256=6892C0B8D5AB6FC09D90618E6CA892FD542A744EB153779A99F09770BB9AB6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047369Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:19.522{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F52122945B65C3DC8C0D53D1B56BD3,SHA256=F6A9FB660137D38B8F7D9D82F9A1484DC076C44814730B43C40EA2D27FDA1655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:20.907{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFC0A2AF0D1C8B4A6794D68BEA07E93,SHA256=DB1078E56DA2617044FA1223571B55FF93B452208CAC3AC53FC794073F29437C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047373Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:20.537{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F14AEBFD3FC04B18A8B499F51F6E34,SHA256=D834EC1B591CA2D1D49EEFF0843DF3004681CC90FFB67A2BCEBA964D8EB2B693,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047372Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:17.492{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-456.attackrange.local53domainfalse127.0.0.1win-dc-456.attackrange.local60372- 354300x800000000000000047371Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:17.492{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:1000:0:98d0:23b4:8be6:ffff-60372-true7f00:1:41b8:400:0:488d:15ef:e4a0-53domain 354300x800000000000000047370Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:17.462{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local60372- 23542300x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:21.954{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439D2EE920AD35D916693972FDB129D8,SHA256=77F6412F655C21FF1F7774B26569B535257F3A2626215238E371E92E0BB3ED61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047375Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:21.553{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1FB2F247458689CCBEBF704B06CDAC,SHA256=611CF9AF8E134022B70BF296F9E5BB85C1F6E392E0B3E7B0BC562230AACA243A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:18.910{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000047374Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:17.713{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1win-dc-456.attackrange.local60372-false127.0.0.1win-dc-456.attackrange.local53domain 23542300x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:22.985{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6AFEEC1633EA7E35AB622AD1B1ADF3,SHA256=F86D6506A30AA4218898C984E276254F40A96D91C6613A06707E9DC6B45B25A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047376Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:22.568{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61DC571101437DED24F35CB1821B365,SHA256=37A988A72019DA372AD9AA7F7F57D2913F1511D1603888DAC030E1022E391594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:23.985{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B088956DC754E4DA99F77DBF62B71796,SHA256=E06E70CD322B8AC9A4BCDC3CE12C54299155D95A2C9F1488415FD2DDED9D191A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047378Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:23.583{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EE79BC14673CFC2861FCADA997C543,SHA256=BE39FA068927A170202E790D36C9DC01E1AB8860A489BEEC4D39A7E98D0BC0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047377Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:20.729{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51874-false10.0.1.12-8000- 23542300x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:24.985{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54ECDED2BCB83B6C0FC7D01595A1A12,SHA256=4B77B466DD16F4047235495DB82E803594E3ADC7B237DC96D9C55A20355EEEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047379Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:24.584{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9BA015EB458C42939317B370A19D8A,SHA256=09CEBE93F088EAD3563DDA81D00678D014235E7649CF86EAC697DE30C5AD86A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:25.985{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BFD10749775E4EC10733CB7DAE832C,SHA256=8ADBADED87502EFDA632CBC1B509BB180980259EC7638861E704D94F39AEBF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047380Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:25.636{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F936F0BDA88E9B1F34FAAC39F5A267E6,SHA256=407322A0A0C85D933A5EA76DB6B61521AC723B244C0D6678828CC555B7832854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047381Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:26.683{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388D3099F568764AEC8E4B82515CBA80,SHA256=C31C78E61C91F788FAF0792D0032847E50EAA1DCCEB20C0AE9D67F7BDEDE3E32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:24.055{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047382Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:27.700{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C9E6CB75D2D9FE7BD64C9A20FFC744,SHA256=59C86907216F2A8BE10D62EEB8D1EAF7B679F13A37CAABCC0A8A287332FBA27C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:27.017{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D167A0C61DEADB02F9E4892F5471D23,SHA256=DDF58F612D9D56FC44AC3782E521B2FF102A2E9647287CCD882A8618946E2FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047392Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:28.751{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E3D91DDC2EBE7ECDBCD93F229A1B93,SHA256=CBDF19F72A8600FF609AAC83CD9103B6A11A07F7D080152DECB8BF61D0A1F32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:28.017{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F14037A02498A9FD22FF770F3CF623,SHA256=85BB8D38C7CCC849B8089AE41FDAA7DF26F3C34099C1A59C831EE40830989A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047391Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:28.205{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=6D4195DC6958BF634E1ACEA8649F504F,SHA256=BEC9F20C74C5E1E6DAACF21E7BF82B2262C3367EE7754EE42D98E52743571686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047390Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:28.205{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B3DC336BD92C3B2009A19A2BB945900F,SHA256=ABDBAC35E210BE93F6B7C9FF842733762D301B773E5108582B507546B15B4849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047389Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:28.205{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=F0E3150E022EAFE43FECCF5591175A1D,SHA256=4FB5EED7FB0F7C5D3B3CC4143BAD210BF4C35AE5B8D6E0FA9FCF5CD3563D27E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047388Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:28.205{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=CC82392C81F9E4BE4CC4B24389566E45,SHA256=F2EA697DAD76C6F9656166D0FD7CB6DF088B19D8FE13417696A6468F19174A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047387Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:28.205{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B12771A108816B4491997AFE0C151F09,SHA256=493B9637986B59A007465C1E50E8E3D2753C1611325DE072FDA4A1F788DF1C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047386Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:28.204{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=6069C5A3C5269B13013999E46AF81C1B,SHA256=CBE9BB865841598EB0318EBAF853030F3CA49BEC8D588918913518C24B16AB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047385Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:28.203{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=10DF6127152ABA279F7B479C7ABCAC33,SHA256=DE2AF858793E97BF073A98C0B56580C670D518B9D2E9382CA8D91F3294C26300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047384Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:28.202{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=C2E2755C74CCACF5ABF643DD00BD45C9,SHA256=D86D07FDE70A6F3F14B311933538A63C956D177FC1A74D6F2688A936AD7F9A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047383Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:28.200{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=762F506B01A6EF86EF5EA8D55300ACC9,SHA256=6AEE49FA82E4F21D84219132A8E4FB1A122CD0BC940CE157FCDEFFB9746B3B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047394Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:29.782{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E80EEFD8D479976BFB2105F20922593,SHA256=4960CC8147EC45C4FF468751E0FE568CAFA0E1BE7FFEE98F8E00C6881532EEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:29.032{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9971C88C7C23EE908D40322951ACA30,SHA256=9A38C05E0930C500213DC7D281F9B502094F9774B7E4D6D307388604F88F76FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047393Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:26.712{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51875-false10.0.1.12-8000- 23542300x800000000000000047396Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:30.818{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2944D324E0600B7D1B3910FE094B28E2,SHA256=FF27C0A3B45099A133786FA9CCF5F4AF674C8D92A782FB3915BB58A68A62748D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:30.032{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5BFE82492EE52C19FD116D58E5C319,SHA256=D794F1F0F32DAE1D46CA35A883AD2140317E47D0087F1024F2ADAB6828068043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047395Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:30.618{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047397Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:31.849{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223B224C2D240EAEB24F6CE524591370,SHA256=9D7F5F57C99807D0A600DFDC18E0330C34A271DD1BB504DCCD9CDB996E8D2302,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:29.993{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:31.064{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB139D7D14486285948E91CE5EC7D49,SHA256=335E992115A86768FF38625DB2251F81E356B344E3BF3CBB8D727A1642A14ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047399Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:32.879{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31888F737D50AAC11CCFB45356D97994,SHA256=F1566AFED6381D349FAA9FEB2ED485ACF97E65E3BB3542FD19832007703424C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:32.064{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DF68FEEC4D36790089BDC595F1F75F,SHA256=F964306DB59F9E5361809B4C2C52A1AEA62F39F5A0F941B05DFD6BE65FFF354D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047398Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:30.188{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51876-false10.0.1.12-8089- 23542300x800000000000000047401Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:33.879{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B03C3BEDAC378E8794B5AA13AB10162,SHA256=94923EF821EF281D169F1016F9773551BD982B150D6F45B3B6B31B76E0578E02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047400Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:33.779{323FE7D8-022C-6136-0B00-00000000F001}624764C:\Windows\system32\lsass.exe{323FE7D8-022A-6136-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:33.079{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62A3C02965CBBFDC761B493FF48CBB0,SHA256=5007D31FA8509406928F085A96A967C0D4394179BE46B7E05ED49C49BB097416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047417Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.900{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1600D3CF89B2A2EC3B033493872662F4,SHA256=BF732F65E9AC6C820A85C77258D49269A359BA7232F45B0D412ECFDD8DF61580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:34.095{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40F0F3D48FED5D979E19C48A58F93DD,SHA256=764A85E60FA0D56C8AB58C8BAA3B65601ACD7E9A153DE9B37E60390F7FE44821,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047416Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000047415Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000047414Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\AddressTypeDWORD (0x00000000) 13241300x800000000000000047413Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\LeaseTerminatesTimeDWORD (0x61362c5e) 13241300x800000000000000047412Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\T2DWORD (0x61362a9c) 13241300x800000000000000047411Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\T1DWORD (0x61362556) 13241300x800000000000000047410Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\LeaseObtainedTimeDWORD (0x61361e4e) 13241300x800000000000000047409Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\LeaseDWORD (0x00000e10) 13241300x800000000000000047408Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\DhcpServer10.0.1.1 13241300x800000000000000047407Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\DhcpSubnetMask255.255.255.0 13241300x800000000000000047406Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\DhcpIPAddress10.0.1.14 13241300x800000000000000047405Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:34.816{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07616b43-7644-4749-b4c7-5155a6fbffb8}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000047404Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.800{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1BB9CE50EE5460E0E680BE5672B5D7,SHA256=87BBE1BB398EC43AE0983A6A68F20056E60C5A0D5A412160B8010E43A881E0EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047403Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.799{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE91030FADD6DC4D753E115680F04915,SHA256=9EFCE2C168136B4B2FE859C0FEC3600A98D2CB222E164AC67989EDFCDF7CE3AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047402Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:31.725{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51877-false10.0.1.12-8000- 23542300x800000000000000047422Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:35.915{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADE889F9F61A6486E5D570CB74F2B78,SHA256=9E81021FBEE22E406CE7373C3571E702D6924DEE2181D3435350C676264396C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:35.095{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0E18D19EFC9174C51232FE0B69B0F8,SHA256=9C2DCE221A412474E5A31E6F5ABF5435E0A4050F01B08DA8FA8849B030E2DDE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047421Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:35.515{323FE7D8-022F-6136-1600-00000000F001}13085940C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047420Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:35.515{323FE7D8-022F-6136-1600-00000000F001}13085940C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047419Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:33.372{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51878-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000047418Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:33.372{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51878-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 23542300x800000000000000047449Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.946{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8E9785DB32481696BDA205E9B83791,SHA256=AAB2B2B0314F95676E0770C212582E40D4B75DE43CFD7C97543CD8174866DEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:36.110{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B160998D972270500C68B6B926332A,SHA256=37637BD0AF937D447EF9BA2E4BA8CFCBBFDFB608C8F16EDBD979FFB26592C523,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047448Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000047447Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000047446Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000047445Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\FlagsDWORD (0x00000002) 13241300x800000000000000047444Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\TtlDWORD (0x000004b0) 13241300x800000000000000047443Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\SentPriUpdateToIpBinary Data 13241300x800000000000000047442Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\SentUpdateToIpBinary Data 13241300x800000000000000047441Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\DnsServersBinary Data 13241300x800000000000000047440Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\HostAddrsBinary Data 13241300x800000000000000047439Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\PrimaryDomainNameattackrange.local 13241300x800000000000000047438Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\AdapterDomainName(Empty) 13241300x800000000000000047437Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\Hostnamewin-dc-456 10341000x800000000000000047436Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.846{323FE7D8-022C-6136-0B00-00000000F001}624764C:\Windows\system32\lsass.exe{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000047435Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:57:36.846{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{07616B43-7644-4749-B4C7-5155A6FBFFB8}\RegisteredSinceBootDWORD (0x00000001) 354300x800000000000000047434Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.415{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:33c9:4c8d:c830:d0bb:8be6:ffff-58686-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000047433Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.415{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local58686-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000047432Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.408{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-456.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x800000000000000047431Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.236{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-456.attackrange.local51882-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000047430Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.236{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51882-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000047429Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.228{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51881-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local49666- 354300x800000000000000047428Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.228{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51881-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local49666- 354300x800000000000000047427Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.227{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51880-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000047426Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.227{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51880-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000047425Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.225{323FE7D8-022E-6136-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51879-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000047424Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:34.225{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51879-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 23542300x800000000000000047423Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.362{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E9BCC3A06387BB0FEA8B5889612D7162,SHA256=C0693D4A41F24A39268C70D35BC5560D78A491370E9849BBCFDB43A41784A51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047457Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:37.961{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8267888C4DA8F42A338D1F2CDF98E970,SHA256=2F7AA1B09FCAFFC03A64CD5D3635DE1A0ACF70C424AA0F677497DFBC42F3704D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047456Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.443{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-456.attackrange.local57368-false10.0.1.14win-dc-456.attackrange.local53domain 354300x800000000000000047455Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.443{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-456.attackrange.local57368-false10.0.1.14win-dc-456.attackrange.local53domain 354300x800000000000000047454Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.442{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.14win-dc-456.attackrange.local65535- 354300x800000000000000047453Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.442{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-456.attackrange.local65535-false10.0.1.14win-dc-456.attackrange.local53domain 354300x800000000000000047452Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.441{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local55890- 23542300x800000000000000047451Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:37.877{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1BB9CE50EE5460E0E680BE5672B5D7,SHA256=87BBE1BB398EC43AE0983A6A68F20056E60C5A0D5A412160B8010E43A881E0EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047450Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:35.507{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local59429- 23542300x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:37.110{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D17A6C3918355944FDBFCF3AFFBC799,SHA256=5908D3A97F88C2BF2995C768927EF4C80571AB90406BEA50FF5EC5D43E16B5D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047466Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:38.977{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE55F6972E43D2C2A8BA96235FCED87,SHA256=76DC410A8945A4577C41410F3BB2CEE0734FF5C4B2CAA92DFCDA26ACA973F4AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047465Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.452{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local65535-false10.0.1.14win-dc-456.attackrange.local53domain 354300x800000000000000047464Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.452{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:33c9:4c8d:c830:d0bb:8be6:ffff-65535-truea00:10e:b9e8:900:4c:8d44:2450:498b-53domain 354300x800000000000000047463Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.452{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local52893- 354300x800000000000000047462Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.451{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local65535-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domain 354300x800000000000000047461Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.451{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local60223- 354300x800000000000000047460Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.446{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57369-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000047459Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.446{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57369-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000047458Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.445{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.14win-dc-456.attackrange.local49682- 23542300x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:38.142{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09912CEEF0545A401AE9329EB4A04A63,SHA256=AAD56252D77D0225FC5320E6552F860713CE21437F084483B7F7C18898C47296,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:36.009{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047477Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:39.982{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C742E8FEA10C5DF5544120ED7BA37AD,SHA256=9917F20DE46F01D00167238229BC7FFF2EE86B6A18A6A75FC69380C3E70CC1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:39.157{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B96182B98F6B04F030183FFD2363D6A,SHA256=F3D6FB9568A32E44A623A11CD95610832CE1396738F1BC9F4F4D91546E87E998,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047476Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:36.853{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57370-false10.0.1.12-8000- 23542300x800000000000000047475Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:39.014{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=2C787A420BCA1483176C7B039F87E3D3,SHA256=BF68D0F3593BE68DEA7FD52D96AA45F3AEA87B3C1989E09EE09EDE7A549C2BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047474Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:39.014{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=02B0173C31080ED65FB75A6A2BAEFC7D,SHA256=BF6FB052FB2DFFA4DABAF565A66867ABF3F34621F565570164430B5D6940EC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047473Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:39.014{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=9D16419CA8E55749F88B3EB62FF3AEE0,SHA256=BD533C47FD5E41267D305F7E51617A97DDD0431183AD7387DD3A42AD064E1456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047472Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:39.014{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=6C00AA417B6147CD8391F44EA5644156,SHA256=93C481EC78432D8E755809472D3C1D320E2E9527D0B71B45450CC4A356585D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047471Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:39.014{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=EE5278A4AECA867F9158334C4AD8997E,SHA256=E3BB1A87468300049653BDD24E880DA011F0F7D7415907BB92BD741A30912197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047470Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:39.014{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=3F3F22886A77B52B3EDB9BB8928B9859,SHA256=014C376D1AA39E4D859B2E729A7C1E1D9C8B64A8D318862E6BC55918D226A6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047469Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:39.014{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=E041A2FBA424D53ACC40C1CD8D77F146,SHA256=89B29CE62B04247EA2EF2EF794C0D5DB91A60DA658FBF7E893DE0CD206F83718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047468Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:39.014{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=0721D4CF5CE2E41F635F72A97BD7A0B3,SHA256=D92B074ECB4BB9B376DFDDF25D287549269841FFB84AD964632D0ECBAA576EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047467Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:39.014{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=F6226209141C07FA653E68F6410C87D6,SHA256=4DB92C1B19D5541DA375AFE68A16E674303E26247CC3880EA9119CC2020A4A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:40.193{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABD758BEBC448F15C322E3A22729393,SHA256=E3046A6CCBF7D384ED27A7577D44AC152AA9043AC4C6B0AE1EC7F3E4EBC8EF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:40.008{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-108MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:41.208{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB3DBD3C97CB317996C6B07DD9D36,SHA256=239AF3DE4161F904EF295BC626D145E733C753E88431B6319EB2C0C1B3CCDF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047478Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:41.000{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38C88F476CA3C534D473802EC4A9822,SHA256=72BC7FB431EE3B7FEF992D126EF4725A468744ECF3F158238F10C33EF7574318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:41.022{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:42.209{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E082F082C554F5505A8F827F9C9B90E9,SHA256=A3A1091795AA4A369D22C178378243A8EF3E16A499D1108BF3E14780244F3734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047479Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:42.019{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4124BF1695A6F2541E66214947DBCC88,SHA256=F8516488219911E69488680E2A8A40B0C9A83D5C1C9E252405F9AB56B97DF5E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:43.241{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EFCE7D920CFBB91FB493841B40CB83,SHA256=A42DF885D751EB6BCE2F2E895BDD2160B35DEAFA71FFDBE580A1FB7EF44AD4CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:41.105{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000047517Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047516Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047515Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047514Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047513Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047512Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047511Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047510Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047509Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047508Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047507Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047506Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047505Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047504Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047503Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047502Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047501Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047500Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047499Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047498Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047497Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047496Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047495Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047494Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047493Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047492Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047491Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047490Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047489Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047488Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047487Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047486Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047485Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047484Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047483Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047482Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047481Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.035{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047480Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:43.019{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95036380A90FE6E21D4DE3230A846EC,SHA256=359DE5F04B3FFD97F6BA250023A3B4E46D8862B848A23AC763E28C91B82465A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:44.475{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144A797275388EECE1282E06442F8D7B,SHA256=00DCB5487BCE5B60CF1BEAE01C1D90DE7E48AB285D1D6268242797FE5482F052,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047528Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:42.742{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57371-false10.0.1.12-8000- 23542300x800000000000000047527Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:44.481{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA6CD9459DC50280A16B643E3C76B0F,SHA256=6F2C0E350BAA8F345A803CF82E85344F573C91E4564172753F8F481AC13EDAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047526Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:44.034{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=FBB9E700BC6FA216C4FDE770875DE770,SHA256=0802BC13CD68E160544D1F943E9CBD39D9B94EEBC95CF625E3680AA822FDA305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047525Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:44.034{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=5FD298A5C3C52AC2F4599148AAE17E9A,SHA256=020F07174E259F1B6065BA6BC3F725834A6F0CD47229213C457A4DE46F060C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047524Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:44.034{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=F0C268BA533D1E108308AFDE4D7A2514,SHA256=F09125F179D9F98242B740DBAB2DEB45F8A7C943AAC23809AE4D43E9F04684E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047523Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:44.034{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=2D7C25B3ED969228328A8200A067F2E5,SHA256=32F9CCB1EA9FC327920D5D595B2C78C5AFCD8065121C85B13076B8D8C655EC38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047522Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:44.034{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=381141AFC5E28F904B8C89BCA48DE2C1,SHA256=7DE96311A1E61F4C52FA0731453523790C55F9F92BCF8FEF2FB14690634C3245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047521Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:44.034{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=377D24641C1BE530F00CAE70B5499269,SHA256=0F6922AF7A263B7CF995861AC3A5CBCDE7F00A18079E547F21188E4971F8B2D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047520Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:44.034{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=8FC899F5D70C242411831D9C4AA2EB42,SHA256=394AD2EA250B1C46949E17F351B2F55520025B78F22D9A147D70ED156E411AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047519Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:44.034{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=6F57D9A7AD52E2A1A43930A4D06FED33,SHA256=476126921C4769EBDE710C840E4CDF7830388362251E72C5FE5E3BB54A0F9278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047518Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:44.034{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B1138535189CFABDA03DA6B560795FDE,SHA256=39E572B6D26133DCB6EC85D3FA16AB1BB5FAFD179870812A2EDB7350D274570D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:45.475{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFFBCEE2B7ECFAB03E23E73EB55E1BC,SHA256=097A057DBD6ABAD55C3042AAE9745B85FE5F3927CB10A79AC1E5E171E5547CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047531Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:45.564{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99B212FBE7EF8BF301B4CB725647C485,SHA256=6DCF46B030B264F2D38A3393E03F264BFD2B66481D900E033CCFD19DDA5139CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047530Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:45.564{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B8911A33C8EBE7E36E702B090CF9AB6,SHA256=D62ABB65F608F9CC57A1538CFF06B2EB16F33AAB27FF4422806BE0A193889788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047529Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:45.499{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3EB884F16944059F95BB2395D4CE14,SHA256=CD5194882718816745969CFFF448C7F2165410818C26471D94603796996BDF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:46.475{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DE8F2554050C6AAEB1FC5F59EE5032,SHA256=322D314D3DAE11DDF83470C7EA0483F0CFFEC3E648BA72E9FC9BDB6F4893A033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047532Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:46.517{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A2517A7CA080D95A6A2E3CE6944E65,SHA256=1727CDB7BB2D11693D043F209ED6511B4F0984306C62FE2B1B6C81CA3390847E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047533Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:47.532{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D6CDEAE93C63640B3D50B543482C81,SHA256=07C5CED8657058AE9FB4B611DBC0A2242D23BD41CFADFBBD501561BA003FC7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:47.475{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694689F3F90B89E2FD05DBB527967A90,SHA256=6D51528067B8D600034B9E55A3133FCB7A536BFCD1EC75068DA7CAE6C9A57C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047534Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:48.547{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DCA3EAF8EC3ACC7F3377E861671588,SHA256=3637D18BD4D821FC5242FAE3831316A0A2AF545E846CC8D7E24F0DB439D4602D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:48.491{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DFB5DDDB7F29E91F4EE67640561AEA,SHA256=09AF836D5BEB0F60A00D03827558E7C1A5AE6F8A8DE9CB6F3D3B74F229F87CB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:46.108{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:49.506{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD58E5F95481C82CFBEAB12BCDACB207,SHA256=846F07DFC11530B495853EF62BACAB8C19229CA775F20B6807EC6D5887B0CE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047535Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:49.577{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216FEB572173B33DDD2F5A1162511D55,SHA256=748837DB482538E42F048CE0556EB41B0DA3AE5DFA37BAA09060BE90EF1EB998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:50.506{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F222B61B8F74EED40CEC29EFF6352C,SHA256=4893F0E69F38018F29B52A23FDB3D72020F4F1A5C8E4BEBA28253C959C6285F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047536Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:50.595{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7EEF943BBEF7178E3C1E4BB114FD85,SHA256=E7FDC2D9112925881FB736333509312DC33B154AD1AAB25D6B7496D0AAFB93A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047539Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:48.738{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57372-false10.0.1.12-8000- 23542300x800000000000000047538Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:51.800{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-116MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047537Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:51.614{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8A20E1D49A3FCC357813B331883E47,SHA256=A57EE0B37B3E6F2E2463D58C1B2B1700B05F836A85880C6A0155DF549B4E0157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:51.710{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BBDCB864CF75DBC568063822DF780F8A,SHA256=5E150757B7794128373073A23507D2A86CD4A7DEB2D4324ED65D0993E883E2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:51.522{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDE711EB895036E028BF0691156BCFB,SHA256=2C45FF4E01FDCD0AA18459C05074ED774C6ABA3DFDF6E25CFA386B6BD29CA8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047541Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:52.792{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047540Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:52.629{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0C35C3D9300A81B4ACA4E98773672C,SHA256=8D1302ECFA15C58A84E7591DA3D3D7DE302D22004A94E9A3C4B83E87F1D7216F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:52.538{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A200C3C5079D0E90CB926C65BFFC82E7,SHA256=B5F01CE8335AD01902ED38CF65F811CDA67E8F5CB81AA492ECE846A23C23312B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047542Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:53.646{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49E3996764C1C8B6D8B60195F816936,SHA256=364793CF1AC42A7CEF347F50DC36ACA6CA78F66BA4C71D53998D49536EAF5055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:53.553{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA12F455D33998E98710C6B3A88E1C4,SHA256=2B3C19740E5212DD9294E4AE4F01C1AA0AE692577240330D71EABFE4557E6113,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:52.061{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:54.569{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B1D677193802F39EE0CF85CF54C366,SHA256=55B9F6A2874F2F256896F058F8C3F00F07420F60081889E9024E7FA00BD94F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047543Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:54.662{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CE4EEAD52E8915DFDA8D43E7208304,SHA256=17A23E55E5DEC21AEC363519CE388215CF2B91F342650705AE7DA1DD0A64325F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:54.038{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:54.038{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:54.038{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047544Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:55.677{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA0192FBC4C6FBCCD351E7F10FF8D850,SHA256=81FD52C03A008BF4764175AAEF20CDF380B3668729F5336BA0EC6CE1659BF29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:55.584{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC525A686596ED4C31DEC0B19F2968B2,SHA256=37670B3ED456C05D94C954C37FC34CFC08E51EE1EE68D9EA0B65F72BFD68F5A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047546Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:53.807{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57373-false10.0.1.12-8000- 23542300x800000000000000047545Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:56.694{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068E8599DBBCCA5C0B50F11BE2AA3DF5,SHA256=108A4C343B277141C30DC773CF880A8D5BC724309CB6EBAB6FF606B280AD7559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:56.585{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E4F9E592812841E46CB27215A64969,SHA256=4A516AB6562A15B4542FE13EE0ADA77560ECE398CEAD535C3DF65F6B9F387AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047547Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:57.713{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE0B1599D4C86F6A5993BAE1D8F8038,SHA256=48CF9C1BE5724F382244E808534139EC049B63792154A1985FB3114870EF2066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:57.585{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1491E185C23AD260063C32C5D5A4DCF,SHA256=3F3557B832709D2616E7D052309F195109B3BBC4452F51F9F07EC0BD6898F9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047548Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:58.743{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E5F881CB0A39CFDDEE1DD3AB0A3FCA,SHA256=6939CD7080351F96F52223CD6442CC05E740AF8792AB4875F1DF848337739916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:58.585{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DD21569D89E336D16C8B97067A0FD1,SHA256=B4ACDB9D3E66E554B2A2205D0C82737C35E120BE8CEF1136D8D6541E3304C20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047549Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:59.775{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB921137F259E92BEF47CC3BDEDDCF3,SHA256=AA2F5349E286CF04C260BB8A12D2F198B83B1870524A2F776C275E45DD127656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:59.589{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A27947598696673A5EE6DF8D4FE3841,SHA256=5D80EE5ABB30895A89F5696C88D1BAA2ED7EC4CFEFAA6F4EEB853F70DEFF0738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047550Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:00.775{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D0F34B0C425FFFC5B480E43D53EEE4,SHA256=443A4AE3C1594D445B16AE0D1DACDA9A701F24E4BBE580B1CBEBF4CC056CAB5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:57:58.029{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:00.604{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409631529FB0579AD5EB59506B4C201B,SHA256=41F537D7367FCAFBDE0707517D9585CCD0345B5B76B432482565F95DF6944E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:01.620{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059879DF4AD65DD7B22247B90FA8552B,SHA256=4595763C0EB52AD4EE255B1462AEC3F02B77BCC7FB2F792295ECA753009B65E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047551Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:01.796{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F559862AAF72B5B195D8070EABB55E18,SHA256=C52D0730AD279E27F0E437595F39F0ED103EFE43D0352110E5638A42572D478E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:02.636{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB396EF1E2D90EB12773ED6467A0ECAA,SHA256=291CE2A169E0C1AC98703DC7CF2468B9B231EA1C3859C08D567685DA07A10663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047553Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:02.811{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D530F2F181A0B4D6103BECDD6DD3846,SHA256=5BD305C90C5BFF51DDD703C5DD0836071E7394C9A1224DF74D92FCE7824C1E12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047552Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:57:59.804{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57374-false10.0.1.12-8000- 23542300x800000000000000047554Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:03.812{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B065654EDCE3AA878600872CAC4EA5E1,SHA256=9810658AB2BBABC9B81BD29F7CE8BF12B0CEE17547D9CAE7885B777854DE7C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:03.636{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A25164D4A125139B6870ACEBA830C53,SHA256=0189A22DABE64BF5013DC390BF3E72D2962CB17C2AA06CBC2638B71E633466AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047572Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.937{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E6C-6136-5009-00000000F001}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047571Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.937{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047570Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.937{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047569Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.937{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047568Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.937{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047567Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.937{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1E6C-6136-5009-00000000F001}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047566Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.937{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E6C-6136-5009-00000000F001}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047565Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.938{323FE7D8-1E6C-6136-5009-00000000F001}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047564Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.821{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D6974E84497D165D230E407BAF5825,SHA256=07476FE32469DD00984FF62BA207AF9F0E64859A946A455AFA6F326E8820A991,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:03.034{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E6C-6136-C806-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1E6C-6136-C806-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.698{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E6C-6136-C806-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.699{FFF7FB96-1E6C-6136-C806-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:04.636{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B45F1C6A322F22FA2CF34A91D4C11F2,SHA256=08F83B898CF40F6E98A554494D59A48E896F9D7CE15D49BC4EA1A677BABD086D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047563Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.675{323FE7D8-1E6C-6136-4F09-00000000F001}33124664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047562Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.443{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E6C-6136-4F09-00000000F001}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047561Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.443{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047560Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.443{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047559Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.443{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047558Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.443{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047557Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.443{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1E6C-6136-4F09-00000000F001}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047556Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.443{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E6C-6136-4F09-00000000F001}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047555Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.444{323FE7D8-1E6C-6136-4F09-00000000F001}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028612Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E6D-6136-CA06-00000000F101}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028611Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028610Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028609Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028608Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028607Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028606Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028605Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028604Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028603Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028602Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1E6D-6136-CA06-00000000F101}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028601Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E6D-6136-CA06-00000000F101}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFA7F13E15AA1E3E316BDB5834757E50,SHA256=0F371F768ABE17C1D7CA91CCCD57E11038263D942280BC4A0194F3AB30B579DB,IMPHASH=00000000000000000000000000000000falsetrue 154100x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.904{FFF7FB96-1E6D-6136-CA06-00000000F101}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3A0B129125966AA7AF929EA57DDDBF,SHA256=4EE32E4FD76EBE7399858EE4531F5D8DC1C054BC4C8B83D01119A6F859C73C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.901{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=731B5F9D249B29E0C149F3C2F60773B3,SHA256=FD4E10A88B516883AB009F32EDCF95D627BBE2641836F15547DCA9CF0F7335D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047583Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.838{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AAEB8AEF9C85DBE2A378B81BCC6B4B,SHA256=DCAC1C2D4DA135853A5A46129539F5715D18F2F515D5E075F3EA8A01B71D8CD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047582Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.506{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E6D-6136-5109-00000000F001}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047581Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.504{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047580Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.504{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047579Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.504{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047578Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.504{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047577Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.503{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1E6D-6136-5109-00000000F001}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047576Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.503{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E6D-6136-5109-00000000F001}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047575Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.502{323FE7D8-1E6D-6136-5109-00000000F001}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047574Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.468{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C9D4B6C5A1211F4D841DB5F695797B4,SHA256=C1DB40427EC168DBA0527129AE6F9878CC07712BAD7FEA347AD572BCBC620B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047573Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.468{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99B212FBE7EF8BF301B4CB725647C485,SHA256=6DCF46B030B264F2D38A3393E03F264BFD2B66481D900E033CCFD19DDA5139CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.542{FFF7FB96-1E6D-6136-C906-00000000F101}988644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E6D-6136-C906-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1E6D-6136-C906-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.370{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E6D-6136-C906-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.371{FFF7FB96-1E6D-6136-C906-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:06.964{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFA7F13E15AA1E3E316BDB5834757E50,SHA256=0F371F768ABE17C1D7CA91CCCD57E11038263D942280BC4A0194F3AB30B579DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028614Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:06.933{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E111C41E9D972F2369F6A2161D77FB,SHA256=402D66C2C28B11869E76DFFAED3558012049B0B58AF234289BAE76BC2F5B7A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047585Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:06.868{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF4B05B08C8F56D690F923E038EA732,SHA256=9F6F878D2C6439C7A4BB7F4378F00F2E522541A1BE2FBAC9D1088C41F5B9BFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028613Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:06.089{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047584Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:06.537{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C9D4B6C5A1211F4D841DB5F695797B4,SHA256=C1DB40427EC168DBA0527129AE6F9878CC07712BAD7FEA347AD572BCBC620B49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047600Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.936{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E6F-6136-5209-00000000F001}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047599Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.936{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047598Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.936{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047597Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.936{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047596Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.936{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047595Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.936{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1E6F-6136-5209-00000000F001}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047594Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.936{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E6F-6136-5209-00000000F001}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047593Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.937{323FE7D8-1E6F-6136-5209-00000000F001}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047592Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.902{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAB4FD276F11D187BCB5EAB1F92FBCC,SHA256=D8DA6EE94E397C50AD66CB74644A5CB7B64835373CB86AB1DCAEC960F38515EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028643Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028642Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028641Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028640Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028639Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028638Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028637Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028636Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028635Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028634Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1E6F-6136-CC06-00000000F101}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028633Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E6F-6136-CC06-00000000F101}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028632Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.996{FFF7FB96-1E6F-6136-CC06-00000000F101}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028631Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.933{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1A57CA0C6F236BF39512DD21E0824F,SHA256=D83BE95922E35743703A437BC802833780E4CB2334F126D4426ED709E31FA6C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028630Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:05.925{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000028629Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.511{FFF7FB96-1E6F-6136-CB06-00000000F101}3481156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028628Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E6F-6136-CB06-00000000F101}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028627Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028626Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028625Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028624Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028623Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028622Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028621Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028620Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028619Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1E6F-6136-CB06-00000000F101}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.323{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E6F-6136-CB06-00000000F101}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.324{FFF7FB96-1E6F-6136-CB06-00000000F101}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047591Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.401{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047590Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.401{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047589Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:07.401{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047588Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.361{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57376-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000047587Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:05.361{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57376-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000047586Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:04.829{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57375-false10.0.1.12-8000- 23542300x800000000000000047612Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.958{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A30DD8C3C6C5E09E584AEE79529B664D,SHA256=71EC051E56F18C642286202CED62685E016BF74F4152A95C504E0A358E7618A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047611Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.926{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1DE2D7F7B21A13C02161080D6FD938,SHA256=BF118D19DEB02626E01F007004136D1D6C1B9CE81D1384625A6A61696FBB23B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047610Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.786{323FE7D8-1E70-6136-5309-00000000F001}17006536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047609Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.607{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E70-6136-5309-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047608Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.605{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047607Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.605{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047606Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.604{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047605Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.604{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047604Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.604{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1E70-6136-5309-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047603Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.604{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E70-6136-5309-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047602Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.603{323FE7D8-1E70-6136-5309-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047601Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:08.140{323FE7D8-1E6F-6136-5209-00000000F001}50326316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028659Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E70-6136-CD06-00000000F101}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028658Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028657Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028656Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028655Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028654Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028653Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028652Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028651Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028650Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028649Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1E70-6136-CD06-00000000F101}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028648Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.667{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E70-6136-CD06-00000000F101}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028647Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.668{FFF7FB96-1E70-6136-CD06-00000000F101}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028646Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.354{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D60882460AD922755A7A016276DF7CB,SHA256=ABC72379699DB8FC685DC9F9F177433062CE9BC78DBBA0DC34682A54DDB83AB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028645Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:08.151{FFF7FB96-1E6F-6136-CC06-00000000F101}1362792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028644Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:07.995{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E6F-6136-CC06-00000000F101}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047630Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.942{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC2A3E5636992F79D21E90625424C8E,SHA256=C031B05CEEE8C4F53B63D2CC6267CEAF41A03FA42A20A9CB55B441D9B9567BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047629Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.888{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E71-6136-5509-00000000F001}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047628Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.888{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047627Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.888{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047626Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.888{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047625Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.888{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047624Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.888{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1E71-6136-5509-00000000F001}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047623Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.888{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E71-6136-5509-00000000F001}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047622Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.889{323FE7D8-1E71-6136-5509-00000000F001}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047621Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.442{323FE7D8-1E71-6136-5409-00000000F001}69362476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047620Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.211{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1E71-6136-5409-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047619Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.210{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047618Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.210{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047617Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.209{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047616Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.209{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047615Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.209{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1E71-6136-5409-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047614Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.209{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1E71-6136-5409-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047613Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:09.207{323FE7D8-1E71-6136-5409-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028675Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.683{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0989578511CEAED3BA31B643786DE96B,SHA256=CF24A0268EF7D595EBC670EE89347C69D6A8EDA21A2BBB6F5D277620CE66FE41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028674Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.527{FFF7FB96-1E71-6136-CE06-00000000F101}38121932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028673Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1E71-6136-CE06-00000000F101}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028672Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028671Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028670Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028669Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028668Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028667Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028666Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028665Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028664Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028663Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1E71-6136-CE06-00000000F101}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028662Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1E71-6136-CE06-00000000F101}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028661Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.339{FFF7FB96-1E71-6136-CE06-00000000F101}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028660Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.026{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F979CA9B4C48BAA2911BA621873D6A,SHA256=C46611B2B883A6F0FFC3D9C8BB782EA708B90BF9E92B4742594A0EA63EC664CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047632Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:10.943{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36389B43607B95E8B2C7D48E0FE76986,SHA256=75B16482252D79E2EB69FA9D7FFB9B3EE5CC07A2C64706C3B16F65EEA4CBFECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047631Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:10.228{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D0EEF39806A8F664B0EF72AEE53BF22,SHA256=9B1EF7F7AB48EE4DB816C29EB338D1E3F2653B2B7B3043F27B5B5129108F78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028676Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:10.104{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B87480FDE02490E77DC873447DA8188,SHA256=A081444BB231958333344DC332BFE9FE71FC0FCA5D6F46D8B9C759F47BC4230A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047633Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:11.958{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8D050E6E6C0050BD992EAA7326FD3E,SHA256=A676C67D0CF1323B61364102F76BC15FE129CF82FDA3FD5958FF1E9FA28E377C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028678Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:11.136{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC56E29EB5A110CF143FC119646327A1,SHA256=F9BD271B8A3CED8E271D6FFB13E71F2AA62A93BFF4CB118CC6BE228E0CE8F6F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028677Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:09.081{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047634Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:12.973{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C653B5C5C86EAC977B696D97B22BFB7,SHA256=81FAA640E06C679D962B3D25D4DA5DCD0F2C2569AC0553362C54230C5EC10FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028679Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:12.151{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771B05FAA14F0587CC29D688652882D8,SHA256=D3E9E5F8849A9DBA5B66AD5253111EC883E8DE98853F325AFD15947B87052888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047636Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:13.988{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D093E4860B794906EE847F347E9C81E,SHA256=991456D144DE3C4F06A7C8F34DC6598BF137516040DDA8B8F50CD1C15A3B2117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028680Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:13.229{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0BE32FBEB48DA4B4FEAAA3C3422F1A,SHA256=1982F852A0156F569CC924C74072DEFAF489C13C345F91106DB82A6A200F3214,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047635Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:10.734{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57377-false10.0.1.12-8000- 23542300x800000000000000028681Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:14.261{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5EB0898F058011B01BAE71E6AFA2A2,SHA256=558AE2965F020EAA1F68916C2AF53468C4F5F2E742002457B5B8F1794020439C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028682Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:15.308{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AAD3DD9BE8D8A5B893115852F12916,SHA256=C64DD1E1979924014835FBB6B428AA63AAA679FCCD11FB11D0849A2752B0B128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047637Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:15.025{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F951540DEF04A3413D024D97D0E97C2,SHA256=3734EBB7F78AA8D030A2AB4E96C6BE4F1DC533379A1A4F12D3550A79F7DCDCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028683Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:16.323{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAE64EA6A376C9E64B2621A68A2D438,SHA256=577CB97C977701A0287382A90B46AC553DE4D4FB9CE7F18D51F4DDC777B776D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047638Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:16.071{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC9D0F79B01D5C2F4BB71C74859429A,SHA256=8242D5F223BCDA02E9220CE597C8737783C487543634AA35D6EF29D7F65F6E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028685Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:17.323{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940A981C4F21912EC9C3E31DA84511A5,SHA256=68A5F08E9CE05DE77D4062EC5DC303CA5516AADE0FFBC24E263D02C1B883FB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047639Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:17.086{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E298830703CE6F3EEDF9F71359FA150,SHA256=5A78BFCE90E37C0D54950F77C3699B9F10F5313E5FDBE40CDFD88877F0DA00A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028684Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:15.081{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028686Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:18.323{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923B7A78A31B147970C436C5B07F863,SHA256=837BCFDB16B3E7B1D40EF54B041D764E7788FE0450BB45F6AAC34544056FE217,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047641Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:15.747{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57378-false10.0.1.12-8000- 23542300x800000000000000047640Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:18.138{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68316B65C1500584AB6155668D3493A,SHA256=1E7FAC1BA68FCBADD138922D866F79163C68EEB5B9F7585BFE1A728642C6B4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028687Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:19.323{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5CC07D6DDA753CDC909A238CF4EEA7,SHA256=88A35EA4CFB65336F8E395FC7419FEEC4863AA8044EE2064CB350118E774B9FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047648Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:19.768{323FE7D8-053B-6136-6E02-00000000F001}44405196C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803046D18A8)|UNKNOWN(FFFF8659940A5B68)|UNKNOWN(FFFF8659940A5CE7)|UNKNOWN(FFFF8659940A0371)|UNKNOWN(FFFF8659940A1D3A)|UNKNOWN(FFFF86599409FFF6)|UNKNOWN(FFFFF803043E9103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000047647Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:19.768{323FE7D8-053B-6136-6E02-00000000F001}44405196C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803046D18A8)|UNKNOWN(FFFF8659940A5B68)|UNKNOWN(FFFF8659940A5CE7)|UNKNOWN(FFFF8659940A0371)|UNKNOWN(FFFF8659940A1D3A)|UNKNOWN(FFFF86599409FFF6)|UNKNOWN(FFFFF803043E9103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047646Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:19.768{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF6ea09e.TMPMD5=4F8EF1C2D0CD074D7EF5CBE84B3E29E6,SHA256=5DAD2EEF2DD790596120355F9CB5804457452E6EEBD4F53B0DF824C4CF2242DB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047645Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:58:19.206{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000047644Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:58:19.206{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Config SourceDWORD (0x00000001) 13241300x800000000000000047643Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 13:58:19.206{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CED8D70C-FDB7-4280-B713-3A56B1B8A289.XML 23542300x800000000000000047642Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:19.153{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F78DE619F340B3F5C5F4A8E24BAF76F,SHA256=48E6CA3FED6F2B367981EB817FBA437C9907CC00F205E1C1C9B90442193C5D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028689Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:20.353{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520B621A7DF11893259AFBB9A4CDE309,SHA256=AEC506E00941E0F75507A008899053B5F3494FFC675D291BD84B254159AA52B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047657Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:18.822{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57381-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000047656Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:18.822{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57381-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000047655Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:18.812{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57380-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000047654Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:18.812{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57380-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000047653Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:18.793{323FE7D8-022E-6136-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57379-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000047652Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:18.793{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57379-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 23542300x800000000000000047651Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:20.253{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3840D70648188CDDBD3777C4BE5510B,SHA256=852591B5B4DD34D9E6E0AB434000EED2F49172B51E6D22387E663CD8AC555740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047650Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:20.237{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66FB588C8D284A91A1B533ACBCB3EB36,SHA256=F1DAB4D97EA30328CDDDE243F7AA2C7F8A33D42DA2E61AE118DB4AACB9F37318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047649Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:20.168{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1BA7E94337FE7B6EE93EDABF927B30,SHA256=5E00F6D5F79D7C071CE641B80B9B2E485F717B0F5123596CFF6D2F882330AE37,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028688Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:58:20.025{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a327-0x3fce4e60) 23542300x800000000000000028691Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:21.369{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216EF7B66A6D88FDB3A0735E7455F964,SHA256=F38C414356EA48DBDA70DE429936A30F1F433FE34604E443F65B86819BFB570A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047658Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:21.183{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB97D3F497309D7597593BA03EFB3AA7,SHA256=92E92CE64FC442E83704DE8CA1E1BDD335BDD5BD58F5A333BA8CBE734797C89B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028690Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:19.860{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-353.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x800000000000000028693Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:22.384{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6549E0B02E024DF20217DA987B88E674,SHA256=629D951F2C9BBCB9CF1829BCC3F2DB566863BC7A324F8C344879094490256854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047659Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:22.220{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF81A4AFC6669EC595165285130954DE,SHA256=46F12F5E2C1164E5A6835245EBC693E432EC7CAA12CE48E7A11B7089910749F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028692Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:20.912{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028694Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:23.416{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369838A473F21C0238D524C00CD91EB3,SHA256=D5D60F227AAF4B7E52ECFA7C8F1BD1F4AE1A0D06B112BD43AD61FCCFAD1F429B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047661Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:21.759{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57382-false10.0.1.12-8000- 23542300x800000000000000047660Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:23.251{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362F17F1DD568FD48A0CFA6AE4422390,SHA256=CCBBDFEE1F6CC21157BE062BC1860329C5638B55EA1A610FC5AB470E7AD6D6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028695Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:24.416{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D284268DADC74463A5963721E4BD8C80,SHA256=233D699BC8762A2869B26062ED267F45AF5D58299E130032208BE3258D7B126C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047662Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:24.281{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37BC57C3AB76C91C8699DBE84BD32C1B,SHA256=7FCB4194783313E31A1714727AF14FD8ECCDDAB8C68F743D8076ACF539D77642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028696Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:25.447{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D7B9E24D4F27C3F5991F42C7241C18,SHA256=8D30440CDE795231493749F740840A6B7867503F7675B0FB44BE0CFACBB67C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047663Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:25.299{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE9B09FE012ECFC09BB08666801EA0B,SHA256=0FBC32FD23C1FEACF0EBB8A96D29A72A28E21702FFE8B8F0AAC2FEA6418BFE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047664Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:26.318{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB00DBFE5835006B8BAA6AF4FE4591D5,SHA256=D76371899C6650C68486F91A9807A27D30EBD4285BE7B40010C2ECC3D9A68737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028697Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:26.462{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169B21A06F74BFF6B644B731180772F3,SHA256=59C17D6C826F75B1A679FBB08E5CD7063333073B9C083022EF6FF84F55E2B288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028699Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:27.462{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12574976EBB2EF080DF4FAF9A68AC533,SHA256=D20A03DF9C5D2694C9E10636EC319FF152643699959C773DA6D04E3705FB1EE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028698Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:26.095{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047665Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:27.333{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A74122AB7DFFFC91497880500067F33,SHA256=6C865CA15229688BC2B28A24F26CC630C7327F93B314E1710A72FA322E3710CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028700Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:28.463{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209CB363FF0994C2B843EE689EB1C2E8,SHA256=3F82512D62E0938992F8274EAC317F14DC27EE2E3C7CEF02AFB661F7531350F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047666Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:28.348{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23087CF2FD1721F68587C526FE7151B0,SHA256=ED3BBE5205058C0A29DD34E7E25F4D6806A3C349DE881FC5E9EB7D7A304C2DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028701Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:29.478{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2075EAA6A5FB8954FEEA723B6861DA0,SHA256=0F1230888D1CE9E3C2A27B3AFE1454D26437D1CBDBDFB5EB6EF35B5DD6808571,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047668Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:27.725{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57383-false10.0.1.12-8000- 23542300x800000000000000047667Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:29.364{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBCBA76515FC73E23778BB0BA2F5D46,SHA256=87B73A345982F91199138F52B08A56753506C15391C48B140C5859BDB35AF140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047670Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:30.647{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047669Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:30.397{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67CE245A8951241F582F0EEBECE7A14,SHA256=9C4A77C6778084A58E8F90BA86937C8CF9AA8672358F0BDD48283C3D52E1D6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028702Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:30.509{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013DFBBFD1672C7BA4CFDD9AD501D9E8,SHA256=679D8B30A2B624E8A5712D1D8C9DE5437345FA05E3EAFC0AD1A8EAFB8D50BD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047671Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:31.431{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF55A3B0F1DDC35E291C8B498BF9910,SHA256=4F9D7496784D4EE82D887C0C284C88EE76DEDE6991A4C080BB0DF3BD62582156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028703Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:31.525{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEF14A9C2E969FB400DD51737791039,SHA256=8FC65D16975BFD66D545B221E0B0ADA4BC94741F21F1B04D205CB651E64F7FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028704Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:32.525{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5851A86BE6BF57C9045AB18F038D24,SHA256=75C0DAC29AE0EB746995FCCD80E38BABF35EB3E14559C06FD37C85CD446E9052,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047673Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:30.224{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57384-false10.0.1.12-8089- 23542300x800000000000000047672Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:32.446{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56CE10EF6F4E892FC0127482E5F687B,SHA256=708ED25F9E699FCF77D4025A5F60843530EFCABD84B8C35A6716A4950A002FD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028706Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:32.064{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028705Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:33.525{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0202DB915F56EDAA66611A9A72E06E,SHA256=74EF87AA82EF3B12AAD0FCD2AE33FF4328B728A2D8DAAFE759BAB0EA3A573B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047674Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:33.461{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4A9D75AA9FAC6FC74C3851442DCCF5,SHA256=96A0FAFF00C5333E9C364BE25C1637B015B706A492B2450BE60AA524D4788387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047675Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:34.476{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743D3CAFABBCF3BF3FD7A7386977DE52,SHA256=780A9BBBAFF40A1D51F7C53E92045A2861A7D4EC600543BD609702968C9C809A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028707Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:34.541{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630088ACBA8D713F3D258AA219FA4F78,SHA256=A84F938E467200CE27296DB0022D4E3E7696FAFAC2F57BA5063D75BC77FD49AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047677Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:33.737{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57385-false10.0.1.12-8000- 23542300x800000000000000047676Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:35.493{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DE26A13EB2138FF6F3F3BDF058962D,SHA256=5EA25C0938A434C5283013BDFEFC430A5E8887F298A885E2B5A8D26E24A8304A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028708Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:35.556{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F8405ED16F170129E6205DDFC44429B,SHA256=AB381E116ED629A4F71A2493BCD23332240B71713A63981AFE554E79C999A272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047679Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:36.528{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E99FAADB144D2C345DE7426C09B12AA,SHA256=A4E5F678AD7D63DAB099C5A58073FD65309A9A01B606EAD095AD6A517D080729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028709Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:36.572{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817D67306CC02250A39091B9DABD8440,SHA256=E227448F00186A3D2B085DDE99E34C8A2E2483CD610389856788B896B7F37472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047678Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:36.375{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EC37ED83E304488B43812BAC57ED8464,SHA256=14A102A1EF6B5138544020093FCB83674A087B6E2837BCD1DA3F1F8041E29EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028710Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:37.603{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C96D1B917AAEE99836474A502102BE5,SHA256=9A7E95B7DF5CFA1810EDE6E0A0953C77A3F7E33DE9BD17CFEEA9427F86F9AC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047680Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:37.558{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E6BB9150932620F95829A97015DAA1,SHA256=FC9ABD796F363B9BB97D53A17415A36DA02417FE85246FC83AA8578AAC9D60E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028711Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:38.619{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444149516DBE3A2274633AB1170BE17F,SHA256=DA4408067CED4F979E3313C3F62AF4064D3B3153CB224B9A5B05BE210666A569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047681Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:38.591{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293C3143A3C35490742EF96B164B8D8C,SHA256=5BC876D323293102AB65C3A81EFA83DA9DD05D764F31C169AA18A8903F05CE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047682Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:39.603{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6443F76770F7E4B0BD4ADBFA751389D,SHA256=35A5AE173152DB2963665A556C5E0D91A21035BCE4DD1CD2C9CBF21BD2DE45AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028713Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:39.633{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE47B21D055968ADEABF39CB1CEBAEC,SHA256=F8F586899BE7BEA7563147197DDA040D05D32A63086E1ACA71400974D7E7CA17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028712Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:37.095{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047683Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:40.610{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A8F7603B80908BE713641BA20CB766,SHA256=95A24DF91EA6AD66E63704AF7C055EC869FC39E12275C490517B96B14F6C3469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028714Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:40.680{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739FD17C4ECD740C50D3CD5D82EA3353,SHA256=5F416B16C96249D8580CB80FD0CB35B8FC839F58CABC76ED24B00B095176BBCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047684Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:41.641{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A4C0AEB1962E5E6C7EFE285E9B77A2,SHA256=C74975D25F66F65E2C183053EBF3B5A66C4E16AB5227A5B78BF19431483F2504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028716Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:41.698{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905DE6A9430B0BF624EDA04A05B9ABA6,SHA256=DB459A2EBBC65C20468C233CBFB0A13856E9159EED38B608F07ADB2E687F07A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028715Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:41.544{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-109MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028718Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:42.727{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A86631C02FA730AA8D372507ED209A7,SHA256=6B88D9E07161B96F30536C029F50E278A142B9DA41D3CFBC7759C66F1A71956B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047685Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:42.655{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D753A2C65A562DB357AD3FB97921BE02,SHA256=29CD8EFFFE3CEF3A50BF3FFF4C2EA944088552F8BF64FA29F9141D7BF1B6D4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028717Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:42.559{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047687Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:43.670{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DA5A6128E7D4F5BB0E38ACF83796E0,SHA256=2BC299D2441B1447718BCED5D4CA7A821DAFC7E3205BA4B5A97967B612071E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028719Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:43.729{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B544C68169109CEFD3832B7EC851E576,SHA256=5554C31ED388B34360F4F8D8D587793DF72507C6A1691A5125D08FB5A63D63CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047686Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:39.733{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57386-false10.0.1.12-8000- 23542300x800000000000000047697Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:44.690{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4370B0BAC1A4154D3AA4B5D82AFEAB,SHA256=5FDD457BB537BCD03A7D3234F23D7FF24A7015C532E7116F256B848BD3E33E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028720Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:44.745{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DC23028A8614594E4B7BD982190E44,SHA256=D0C0EF2024B590AD4F7CF530DED4226E44CC170A508F21ECD45D8E72C86A5DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047696Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:44.223{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=228BFB1216D32EDD592F020289536E12,SHA256=6EEDD213ACB1EE3FCB96A1C2821B89EB2B9C1DE30116C10DAC233D9B9EA17A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047695Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:44.223{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=8F588BC407F0856B84D493B330FB5594,SHA256=79E59EB8ACD4EE2E8FBCD9857AD2E1D6EE64591515295ACA825456F143640352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047694Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:44.223{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=66D1754BFFAA499192F52416AFAD392A,SHA256=3F162E89A51714997EC11BADFFAC4798977AB1A2C8E4573E944EA8E77DA50CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047693Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:44.223{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=83515AE295468B108B7CD03737D2BB4B,SHA256=17DC13A347CBEA1B400337510EBB99AC65E7FD7A0A8E3E22FF4959755E1C547B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047692Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:44.223{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=C3733E7B653BE157C1C4EC0EAC77231B,SHA256=B249F7BA28286385C51E9501403AA507D1D84E647D1A0C94EA4BC21D416D2ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047691Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:44.223{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=CAE5CAB01010F73389CD53CA177B8E95,SHA256=466097A51D0A6CADF777726DECCB9E4AE2D54C05D3F6EFE04612F44E599C0AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047690Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:44.223{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=0A7B4FEAF0C640BA681FE563DBFED954,SHA256=D70DA36FD6191205AA3D201CE8501FF4C54631DB42F794D670DE026EAC7D4B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047689Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:44.223{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D6EDA84C4CA042D55048C8E7A85B0847,SHA256=217F5934FDF8BF65D573138F0A80231056C5C0388EAA2FDA2BE69807154AB71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047688Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:44.223{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=87AC3D6F6AAA35B49C95141DCCD9D05F,SHA256=4CAF3EFD465C531F8073F6707C21BA182F24B60E7CF17808AA749AA6313FD2BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047698Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:45.706{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412AAA4C5C54817C6A80FA164E461117,SHA256=DFE017A1FEF9066823B70C85FE73EFE5F40B0C5785B14594FE84BEB5B8CBF036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028721Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:45.745{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B785D051FAFE440D27864D55D31A9B,SHA256=E7E52B6A13DCCDBF60B292267E93D497A7A955722C7D032E90E3D4DD2114A388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047699Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:46.737{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D710A07CBAAB8A01D50CEC2CD0B612,SHA256=BE337F6EF79312F9FB26DB73B0397C09410B656800DAE6AF3ED063E17A318BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028723Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:46.761{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21364C6235567511018089DC55FCEB4E,SHA256=9FE7B88F89D22B1E441D58421831FAAFCEEB1AF1544194B7E3F1FDB25638FEE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028722Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:42.971{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028724Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:47.839{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C35EEF0C06D13C5BC8889658366026,SHA256=36C16F98837B0C680AEC73CDADC5E44E3648DA42C418981F048216966EA34400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047700Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:47.768{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E9B9129BBDFCDAC44F8A0C9F7F2E13,SHA256=08D02D431C593CE0EC416D60AC2710E68063C4A67395DA6EB1021D3D13B68A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028725Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:48.854{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D799DB1A518DF8D80C77A08CEE399D63,SHA256=528587F77301574026CEB84047EFFD6E63C86E37F474282FAD25446101DDB696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047702Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:48.786{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995A9ACBDE2E92CE70E26F3A7759FAD1,SHA256=5DBF829278681C59748AE501A6A8AD9A0447874507A2BF34F4C882379A30104E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047701Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:45.760{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57387-false10.0.1.12-8000- 23542300x800000000000000028726Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:49.854{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF64A1ADD3CF51CBF8A69B3868627F5,SHA256=BA2126A9F70785C81A0CF2E7F7004C7647931720099C28D58A751F42DA354CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047703Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:49.805{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC0223FF2BD2F7AB9E894997933D9BA,SHA256=D638D0B42339E8113399235745F3A71ACECBFD8E5D9117552D2C3A7AAF759D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028728Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:50.870{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E343AEBD3F3CE87DA76CD80E5C35F8AE,SHA256=0E8E42AE96FE08D72C55748591EA8D524305ABEF2BB9796761B37167373BCCDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047704Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:50.820{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A34605AD9DF20648E158CD0AAA5E58,SHA256=6475990C7BCD75B46C49B0EBCF82728DB3D03065907FA9738DC14F8E7781BD1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028727Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:48.002{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047705Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:51.836{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE665CE81011E6547D9EDB5D9FFDC242,SHA256=ED0ECACCFB250AA06DA6D99B8A99CC945EE33ABE1E66DC938CE0CED09F28862E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028730Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:51.870{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879E789675F091CB18AC93B1BAF79534,SHA256=A5F34991D87E66EFD6D06FCE0664271608D4EF13B81046C92BC5FBCACB0B7657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028729Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:51.714{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5E6627755A6C637BABD4AB5BD6E7757D,SHA256=C0F84D6D98AFF1A7305F4D86F44F2A3B30A5F820F62EBCB3415396335AC28917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028731Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:52.870{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA889215D12D2979EF4CC831153DC94F,SHA256=BD1730E60DD89B8E1ED02121D08CE0ADC5613215803447035DA67B6D99DC1BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047706Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:52.867{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C25A025C60C1E801B9426E1E8BFC947,SHA256=E5966B1E730782BB8AD33BCCE92163128F91E0C31246BB550E58C424F8A77F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028732Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:53.886{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4BF21BD8C4A2E0BB7364DD5E58821F,SHA256=AD3A0C2A9FBD5899DAB1A0749B66367EF75AB9E6ADA17892264646A304F963A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047708Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:53.886{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72993CCDC5BD42537AB4045AD78167E,SHA256=F3E029D3CE184F5E31E5FC800F9C54CE9F1367A45FBBA7C209972609EC181128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047707Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:53.323{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-117MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028733Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:54.901{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720C2B8F858B938EE06DD91D16A5C801,SHA256=1ABC9C54A6C9FB218826B75BDDBC2BFC8D43A8412E1DC9115207BDD73BEA1785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047711Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:54.903{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07CF13BB12AF520AE49A9098186F73A,SHA256=13C733CEA6F4DBF196FC2F55753F3649A2103E73DB6E461FBC16AC45AA478F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047710Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:54.336{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047709Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:51.644{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57388-false10.0.1.12-8000- 23542300x800000000000000047712Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:55.904{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAA5858678FA40863090A840EB8436B,SHA256=C403063EDD5CC89EF1E8050B46EF69BF69A2994EB35C34B5259568A3CDC6FD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028735Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:55.917{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C27F9875955CA776FEF26939B0F5C1,SHA256=03EE32819C4F78B53CC8218DB97DEC7887B542B12E79E87836ABBC49563C0FDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028734Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:53.049{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028736Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:56.932{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8FFFEC23917FFF5FDD835FEFE79BB2,SHA256=874C3E91D6CC8FC3D6C2105C4C900192BA36ECBF16433E14F520665C78C6FF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047713Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:56.919{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A0DE0D4FB7256AAE6F94966C5E6B62,SHA256=119C225AFB615D872D7CF6B2FAB2524E66E5C626B9C265C5B49C8CA4615CF673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028737Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:57.932{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95CB08EA60FF59580BB8CA33FF16EFD,SHA256=C453A7CE625D1308CD54B1917ABDC09A4A68567AD7BCB853CAECB90A7FA64A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047714Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:57.935{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8907DA3ADCA66510BAB51893B3188806,SHA256=72405102F78084053483765987CB9B8E71D066EA2E6C72F792265063DB0E1E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028738Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:58.948{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C93BE3052B79E7F52286BD96594DA0,SHA256=B69FC2A234C09920C02C5C3925FE07076A1832263CB38B2658FB4254910421E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047716Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:58.966{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A610CB8856079EB38CBD53624AF4C5BC,SHA256=E1342B79B1176527CDE60A0D421B1981574419743B0E8A8FB6D06E1F7880A219,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047715Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:56.674{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57389-false10.0.1.12-8000- 23542300x800000000000000047717Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:58:59.984{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB97276CCA9A1FC271BE893EB964AE2,SHA256=4323A356FB32C44E228F8F5C40DAE7C4A45BA91EA13402BB27B80E74BDDAFC41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028739Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:59.950{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381180DF937C6BB56E02111E10B03FEE,SHA256=B9F861C06CDBBE18D65C8B93C38CAE3C94B8F49C82444A2DBCC1AE78CED68B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047718Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:00.987{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A901523AE864F747967BB9B67F3E80FD,SHA256=B79B22FBBE08CE0DA607600EFEC9D08091FDAF189DD20C0042072331A1949497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028741Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:00.981{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72F1214E491C8BDBEDD5496D85C8147,SHA256=458778ACABFD2A6961E67D188A78FDF24E520938D85420FDDA5531FFE5B422A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028740Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:58:58.971{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028742Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:01.997{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807CFC9CF797789A6CF33652EC507125,SHA256=BCDE283B46E3CC243C91D97707A9D8A77C6D1E027CD3E50140164901608D5672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047719Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:02.006{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE488C94C1100D7EA796EE3F6999859,SHA256=1003D2C47D8EBA6F8344F667E3CF1B4CB0188FF4387943455DC72911EDC92C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028743Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:03.044{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1AAC2D1D879357450E8FC2ADBAEF0B,SHA256=06C267BD13E9DCAE763A6C354D6053789CD806466AB8556EBDF310684307ECC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047720Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:03.021{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C36F0AB3093A8AB243C017207F8ACC,SHA256=178A2E0FC966BA3105C62FD31CED1DC1A0B4105E9405A3A5FFFA93D918681D8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028758Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.872{FFF7FB96-1EA8-6136-CF06-00000000F101}23922848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028757Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EA8-6136-CF06-00000000F101}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028756Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028755Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028754Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028753Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028752Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028751Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028750Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028749Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028748Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028747Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1EA8-6136-CF06-00000000F101}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028746Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.700{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EA8-6136-CF06-00000000F101}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028745Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.701{FFF7FB96-1EA8-6136-CF06-00000000F101}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028744Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.075{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47E21A4486D478CFF63A243EB0AC560,SHA256=AB6D7A1F5C676C26A0A36F3CF251114783D6E83BE4E41ABC1EBDC1D2A19C6BDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047729Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:04.437{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EA8-6136-5609-00000000F001}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047728Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:04.437{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047727Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:04.437{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047726Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:04.437{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047725Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:04.437{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047724Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:04.437{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1EA8-6136-5609-00000000F001}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047723Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:04.437{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EA8-6136-5609-00000000F001}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047722Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:04.438{323FE7D8-1EA8-6136-5609-00000000F001}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047721Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:04.037{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66739329AA313560157AABA3EEC2743,SHA256=B6AA50C6400A70F2AB3C916C9A09823BAE404AABF6D95A0640340D92732C80C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028775Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.731{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBBB7FBAC95176F23D12EF120BA6ECD5,SHA256=834548EA079BF4E01B217499FB94ADCC79E349AF37AE7E7C1BDBA99B90EA8685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028774Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.731{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8403E2A9448663F2ABBC733E37B55FB,SHA256=04A3214A2954C055B0516C342E39583CBF44D6476C0CCA17974FEFF9CB4F252D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028773Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:04.067{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028772Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EA9-6136-D006-00000000F101}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028771Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028770Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028769Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028768Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028767Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028766Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028765Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028764Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028763Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028762Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1EA9-6136-D006-00000000F101}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028761Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EA9-6136-D006-00000000F101}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028760Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.372{FFF7FB96-1EA9-6136-D006-00000000F101}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028759Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.106{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2FDFA0DE3BBA90AECB789814891F54,SHA256=ED651445EEB0A0492DF600BCC79BD8F16B039FC1988D3BCC61669CE21598C501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047750Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.801{323FE7D8-1EA9-6136-5809-00000000F001}56284488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047749Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.648{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EA9-6136-5809-00000000F001}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047748Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.648{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047747Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.648{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047746Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.648{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047745Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.648{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047744Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.648{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1EA9-6136-5809-00000000F001}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047743Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.648{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EA9-6136-5809-00000000F001}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047742Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.649{323FE7D8-1EA9-6136-5809-00000000F001}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047741Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:02.698{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57390-false10.0.1.12-8000- 23542300x800000000000000047740Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.453{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8305AF4851BABA029004C55C48D4D650,SHA256=16F045771824E020CE90DCFECE171723583DB5479634C18ADE47A46941A6A41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047739Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.451{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3840D70648188CDDBD3777C4BE5510B,SHA256=852591B5B4DD34D9E6E0AB434000EED2F49172B51E6D22387E663CD8AC555740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047738Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.040{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F587BBC871819D9926F57506935072,SHA256=C0152D58F48127768E2AAF1396C75B7D025E70E566473CF47CC09CFF305D2E1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047737Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.040{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EA9-6136-5709-00000000F001}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047736Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.040{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047735Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.040{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047734Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.040{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047733Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.040{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047732Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.040{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1EA9-6136-5709-00000000F001}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047731Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.040{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EA9-6136-5709-00000000F001}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047730Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.041{323FE7D8-1EA9-6136-5709-00000000F001}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028790Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.419{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0DC44C4299C0A31FED6CF5EBF3721C,SHA256=B3E3F6C6A04727E0F4286CB23D822F6F4D839FD0ABA90E61FB98F3513AC5E091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047752Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:06.664{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8305AF4851BABA029004C55C48D4D650,SHA256=16F045771824E020CE90DCFECE171723583DB5479634C18ADE47A46941A6A41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047751Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:06.064{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FD19ED6C71574A4256AF13C6E0B33D,SHA256=AF6EE21827E962B75C1D6F5477FA4738EA8EE69D21E478EE0ADE6F3401A11073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028789Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.106{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028788Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EAA-6136-D106-00000000F101}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028787Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028786Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028785Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028784Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028783Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028782Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028781Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028780Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028779Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028778Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1EAA-6136-D106-00000000F101}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028777Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EAA-6136-D106-00000000F101}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028776Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:06.044{FFF7FB96-1EAA-6136-D106-00000000F101}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028807Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:05.942{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000028806Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.512{FFF7FB96-1EAB-6136-D206-00000000F101}14762008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028805Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.419{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4ED417EDBC0944937F18C97A636B69,SHA256=3CB966ACDAC23AF93582D992E974EB30645BD08F8FA234D9DAB75679290362E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047763Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:07.948{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EAB-6136-5909-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047762Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:07.948{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047761Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:07.948{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047760Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:07.948{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047759Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:07.948{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047758Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:07.948{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1EAB-6136-5909-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047757Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:07.948{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EAB-6136-5909-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047756Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:07.949{323FE7D8-1EAB-6136-5909-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047755Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.371{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57391-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000047754Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:05.371{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57391-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000047753Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:07.064{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AEBEC2F9A1F6414012E5B258F54668,SHA256=ED2C5E4C2E64BF6D749D001AC8D3F04185A20740A0D7588EE481202015D19FB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028804Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EAB-6136-D206-00000000F101}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028803Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028802Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028801Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028800Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028799Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028798Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028797Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028796Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028795Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028794Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1EAB-6136-D206-00000000F101}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028793Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EAB-6136-D206-00000000F101}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028792Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.325{FFF7FB96-1EAB-6136-D206-00000000F101}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028791Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.044{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBBB7FBAC95176F23D12EF120BA6ECD5,SHA256=834548EA079BF4E01B217499FB94ADCC79E349AF37AE7E7C1BDBA99B90EA8685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028837Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.810{FFF7FB96-1EAC-6136-D406-00000000F101}24002368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028836Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EAC-6136-D406-00000000F101}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028835Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028834Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028833Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028832Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028831Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028830Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028829Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028828Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028827Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028826Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1EAC-6136-D406-00000000F101}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028825Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EAC-6136-D406-00000000F101}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028824Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.669{FFF7FB96-1EAC-6136-D406-00000000F101}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028823Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.434{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2984D593467DB8C80CB7008CBFE1693,SHA256=293A809037F0D4D775B23EF85E5710B48853D37657A375D0C84C7A2E1C566FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028822Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.434{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD7EE9CCE500277429BC3A8E8ECB60E0,SHA256=A357B2D48F6DBA6DD31E5F282FF0848A49D8C6D401D5EF2477A5C081526CFEB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047775Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.968{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52A1AE214112B59842448638C43BE02E,SHA256=6E7A02217B0782700CE31BA0E7B07C5EBCE6E6392E01ED4079644D7E806EE2AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047774Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.787{323FE7D8-1EAC-6136-5A09-00000000F001}65366012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047773Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.616{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EAC-6136-5A09-00000000F001}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047772Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.616{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047771Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.616{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047770Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.616{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1EAC-6136-5A09-00000000F001}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047769Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.616{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047768Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.616{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047767Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.616{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EAC-6136-5A09-00000000F001}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047766Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.617{323FE7D8-1EAC-6136-5A09-00000000F001}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047765Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.185{323FE7D8-1EAB-6136-5909-00000000F001}3840780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047764Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:08.085{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C487FB052893265C8858CE0A3075EA4,SHA256=A61989D10CBECF3EA21CE390E11E24CFEFCE6EEA2D38096B925ED0D9D7C82661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028821Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:08.137{FFF7FB96-1EAB-6136-D306-00000000F101}37201480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028820Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EAB-6136-D306-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028819Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028818Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028817Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028816Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028815Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028814Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028813Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028812Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028811Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028810Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1EAB-6136-D306-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028809Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EAB-6136-D306-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028808Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:07.997{FFF7FB96-1EAB-6136-D306-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028852Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.919{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CF41EA1671955E7778391CC474524B,SHA256=A530E37EAE3CB6825767F6D338348365FFF2ACE4534B4D9689B1856424620490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028851Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.919{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6B364200F794CE67CCFE9FE9788B566,SHA256=F7BFD054FF65FA1717D9BBC06F6FD9B0CD1351D591D58B391735DDBBE9DBE195,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047794Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.837{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EAD-6136-5C09-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047793Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.837{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047792Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.837{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047791Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.837{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047790Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.837{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047789Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.837{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1EAD-6136-5C09-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047788Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.837{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EAD-6136-5C09-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047787Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.838{323FE7D8-1EAD-6136-5C09-00000000F001}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047786Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:07.809{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57392-false10.0.1.12-8000- 10341000x800000000000000047785Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.339{323FE7D8-1EAD-6136-5B09-00000000F001}24761760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047784Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.153{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EAD-6136-5B09-00000000F001}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047783Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.153{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047782Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.153{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047781Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.153{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047780Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.153{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047779Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.153{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1EAD-6136-5B09-00000000F001}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047778Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.153{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EAD-6136-5B09-00000000F001}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047777Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.154{323FE7D8-1EAD-6136-5B09-00000000F001}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047776Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:09.106{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11DE4F41515FAEC95D54EC6E3401BAB2,SHA256=8804401D42B13E0F95110DD55FC6B16DD9B0ABCDEC38478AB6EB4E9CB33053B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028850Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EAD-6136-D506-00000000F101}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028849Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028848Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028847Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028846Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028845Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028844Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028843Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028842Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028841Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028840Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1EAD-6136-D506-00000000F101}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028839Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.340{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EAD-6136-D506-00000000F101}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028838Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:09.341{FFF7FB96-1EAD-6136-D506-00000000F101}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028853Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:10.919{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D4C0E90B92FB055CAE7B30321F6D18,SHA256=00A26970A1693723C44FDD5006D531E511B6F8F795A1BCAEC650652410EFF547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047796Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:10.168{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25AD6C5403CCC382047B1678332DD12F,SHA256=2115B3DC9E1A9C9CE4D0DF7D36E8A42F1CB8D6A16A96723BE3E8AFC5DF8E10E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047795Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:10.136{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF184EEE60A964EB404803AA00C61A8,SHA256=1D1F362586DB9ADD0EB448CBFB84EC843B2CC3316F7D731FF4DE1CB86EA3E83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028855Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:11.981{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81D5748B529E53FC2F7ABA37CC2CE80,SHA256=84B391216520A569A5D36498CE636D14858FF98ECEB8F63C98042E7BFF3B487D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047797Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:11.167{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531E4B0626EB76237D78FD065B48F7B9,SHA256=3EF6BD18C1174EC391B4038E08D3DDD428492344A4D5EA8A397A122B004A20EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028854Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:10.004{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028856Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:12.997{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BA24D412CF610018E068D65DBECAAC,SHA256=AA2B9E4C8CAD69CF2C575CA120D037880D9B89C2096FC626B6753B32E862BD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047798Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:12.185{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFEB2DA2BB33B31643D7F4E0EA13C7B1,SHA256=6E6B91D3CE78D87483A4D32D53433E704090390AC85D942DD7525F3A26CE0D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028857Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:13.997{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74627CE8C2B8D27589B0103E8532978,SHA256=67257E606341240C9AC33A361782E89BCA66554B63C7E8B2CCA150BD4A58625A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047799Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:13.203{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDF752A68E6BF2B8BF4FBE636F21C0E,SHA256=AF1C38B9A06FE045FEA232422632E1EBF616B841C9342B522E121B233A9FD989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047800Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:14.234{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C590054E6F16759D9535AAFBC43E6F0,SHA256=06E31AC70E4CE356242C47FE996DDA844CFA1CAF627E9F7E809A23E0632D343D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047802Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:12.827{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57393-false10.0.1.12-8000- 23542300x800000000000000047801Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:15.264{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF0FA84EF28E2F24B4DA512D117766D,SHA256=9833FDF10D4BCC7A9DDEC79E21E2A2027B2F68A1F27846E912A73D54E4A03A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028858Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:14.997{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1308146A2D8A8666E0476D0C98C20E,SHA256=3D70B7F6FA4267EEDFA6F2D402122C94696B4C2C0948CFA5865C309AD883197C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047803Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:16.265{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB17188A2CC77411150CCFB17CA5266,SHA256=E2D85BF8B00F074546B54112D0B5A63D994A868066A3DA357969EBEBCAC9E69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028859Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:16.028{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8DC6D0305EFCA488539F5C69C7617F,SHA256=7926BABACECE64871C10C8B9D1D64B136B0B52E2B116517F123D8F5D94BDCAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047804Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:17.281{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10041C336BEFC0B50C2F128C6F4F98C0,SHA256=6D33BB453F3A059BFF5A82BBBDE7CB1A91A20AAEA2121C034879377AEC73E8F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028860Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:17.028{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4F668117ED090AF4C9D850FE2843AE,SHA256=F921DE2C631FDAE65EEFBC5A34D2D0650C4AF7E8B66568D6AE1D8BD05B280DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047805Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:18.300{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27236F36E39A6C26E0B04CBF6539D918,SHA256=602024353583E49FCFD371B52633FE37BD934C6795A02979EAE1DA4D87E07B8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028862Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:15.004{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028861Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:18.044{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA5062C0BB5716C6C2D0BD3DEA45682,SHA256=1F0B8328052AC8D166C4A3790B9AFCDC790BF4D66052D6221D4978FDC97AE51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047811Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:19.762{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\aborted-session-pingMD5=FA4CD4E428B1450F236B445E9109D258,SHA256=DDEB51FCC6B8485B1B332E0E1F92B79D0E8D275FD11D6DD84E75785C1A834D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047810Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:19.762{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=965A9E2A44F47E37C74562E7147E82B7,SHA256=A69D048AB277B794A43F8BB716CADDCCF8808BDEE5D333A83664598B5CB84579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047809Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:19.762{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F88448614B21C4CB0522786B51A0AFAE,SHA256=57A1F8747CD586DDFA3CB4C00B817C2E17239E711103DAB1AD3544EEBE4CD0AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000047808Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:19.362{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\SiteSecurityServiceState.txt2021-09-06 12:19:19.165 23542300x800000000000000047807Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:19.362{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\SiteSecurityServiceState.txtMD5=0AFB9DB864B848994BBFEA5AF07D1DAC,SHA256=723B016D3A5B64220B172A33B030A9B1C16C43A5F60629025363FF0547991BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047806Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:19.331{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9C83E9BB33A112F4475AC13E5EBA55,SHA256=258F27C7DA918D1250DBE11E5BC94541C2B244758CE8B0D0E14CD2BA0497BE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028863Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:19.059{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480C1BE240A33D1F0A9E32399B2C4357,SHA256=7F0E7EBF9850B505F3106ABBB89AAFB54A1AAEFDA707298194AEEFBC5859A037,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047813Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:18.623{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57394-false10.0.1.12-8000- 23542300x800000000000000047812Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:20.352{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FAB4D7508EECAE6B10DBEF44DAE5E0,SHA256=A95336417711F01D5AC4906A4420CDAC402542DA75263F3E509EEAA720E15C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028864Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:20.101{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D091E06CDA3BB723A88912BD376930EA,SHA256=1D044D89EDED85CD5442A9378C97DDCD03A34F28510D8E9EA4EC4C6CDF264AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047814Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:21.367{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A48B8F185F4E9B45FA7F8111FF4B204,SHA256=3F29D30164A56510D162EAD2D5D904D21107E147AF8E6FB9AF5E5C17F5A22E72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028866Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:20.015{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028865Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:21.133{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932BBA4B31AD04B0136F21A1153A049E,SHA256=E15AE426506FE1460DC44CCD7402DB92D7BF869B38F020C7904F8B8D6CBE2EC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047815Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:22.385{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E164DAD1DAABEA2B4628710B065ABD,SHA256=71ECEFD4766252667625E5D7B08D257D39A1677A46820B20E4952CFECFE0A396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028867Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:22.148{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643E871516C1ACFF2BAD62826D7B58B4,SHA256=C21807452FD0259630D3CEE41CAE0A95291B0BBC959322C254FDF46F61F0FB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047816Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:23.404{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877787F620E61633B39192E7880DBA14,SHA256=4310F8492A6231AF23F32A5DA74E7256FADB57EA6EF121C75E4B7BF61A4F96A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028868Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:23.164{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1472C09600E87D5CE2EA625E8E22D61A,SHA256=834633C79757437B2513CBB9F9921FBBE28AF28F75D92504DA50542A62B7BDEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047817Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:24.418{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A635178BF6F02C4A7CA03EF3CA7DB25F,SHA256=7ADE3116EA748D72438E67E13970FF9D8E674B26835824DFE7F02F24D3E10F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028869Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:24.195{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3138F25E46988202FFF811ECEBE03117,SHA256=44664C154D96DC667F098DDE45B778C747805E5C31C1AFC0ACF13F1222F26338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047818Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:25.449{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC9D52DA7C2A4C5E085D7F867BA03D0,SHA256=E3CEC9F86E3C582D15855CBEB3CF59B9B62F7DF5BA410D50986B3537F39D659B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028870Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:25.211{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7866008831DB74803BD3CED04B12C1FD,SHA256=000B89AA3A122A5B97C40A6C857AD1970D8E374F6395662E644D82AD44D4348B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047820Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:26.450{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F27DC43463D794676D202B63CAFE57,SHA256=C9E80264F580BB39AE80D87FE3E9A0F43EA73216EEF078B78F282E5ED9B41547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028871Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:26.242{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3B0DDA9FBEB2A2CFD1F2876308ADC4,SHA256=6CB977FC0784D66F717B969167E1D7412800E3060A7820945966CD742CD2FB56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047819Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:23.627{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57395-false10.0.1.12-8000- 23542300x800000000000000047821Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:27.465{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5C671D48781EC071CBAE23C35B855E,SHA256=FC674C0EB581DB4E28E5E70FECB6F2298DD35378B0868BDE060237AEC5D737E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028872Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:27.242{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1F390A46A5A52ED8C92C276F261F10,SHA256=D21118AC4E62B95674A33CACE7DBB3ED96C73CFEC7659D83B6533805AE8714C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047825Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:28.548{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047824Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:28.548{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047823Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:28.548{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047822Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:28.482{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085B166E1F99F9AD964FFA8EE6FD3347,SHA256=21CACE357A6FC494130BEB4872FC0CCD03D289F71FC0CA2BA47FE414B73287D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028874Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:26.015{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028873Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:28.242{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11DF52E1B05422C35F31847EF59C970,SHA256=D31E77E0BC424A4F661935745EAAEFBA2722205E800647A8912A5CBEBFDFAF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047826Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:29.501{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B2A33682D06710F31397835573D408,SHA256=E345C968F37B33F7FC5B4A6DE1C583D64D731ECC98C5FC2C81B1D674286E57DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028875Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:29.242{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F3BB3D4A3805DCD9096FD8FBAF6E11,SHA256=B18FA7B4FBB45DBC4BA325B9EB6E6AF6CA020F20F55B574AF5446AF8F2009637,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047829Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:28.824{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57396-false10.0.1.12-8000- 23542300x800000000000000047828Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:30.683{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047827Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:30.515{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F28AE26EABF35ED9E132FCB075D4483,SHA256=EB556EC5C9DE1F798A9F1F2EFAA205B8A4404932126516AB366A3745BD43BC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028876Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:30.289{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E15B07AF15AE0A93AA92583CAF56B7,SHA256=EC028DDC3705BEFAFAFE61BCD1F7BD01C3E5A439532EC5D8764D2F10C9E85768,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047831Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:30.255{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57397-false10.0.1.12-8089- 23542300x800000000000000047830Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:31.531{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA8B62FC3A507E8A3E7CA0C618DA98E,SHA256=819611B50FF6235B14AFF405CF54C65040C07FD6315E7474EA37AB079C94421D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028877Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:31.304{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D927B91D5116B7C5135A465C1092CE2,SHA256=20566A14B22E3604E07526E3CF0DBF0BD56A493427A827286C07FA18E7BE43FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047837Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:32.830{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047836Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:32.830{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047835Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:32.830{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047834Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:32.546{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782CAD3D3FF3B7FE982514872C403705,SHA256=A72BB872E3E10048174C4CFA0028AAD65F8BAE1792099CF6C07AE2D9E025F88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028878Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:32.320{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375042FAE0040DF63E181A376BCAF995,SHA256=B86A37DDB29584176A417DC7D84AF7FABEA6A469D43409D0380EA12663D80A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047833Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:32.030{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047832Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:32.030{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3EBA84EA73CCD22CB65FBBA0876D8A3E,SHA256=7AA4C5267252104B526C838D4D64841CB51C3A5B7ED36E8690E627283B607A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047838Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:33.560{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C331853875A5EEA7E4403CCA08CD163A,SHA256=0E5D89CC91E636D54D9C0CB1DA08D394C44F4656DFD00B32AE2B5B7CAB125130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028879Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:33.367{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1643DE72D4808EF9C21B22E61982D38,SHA256=003FCFE3FE7AFA542B423FB04ECAFC4F29F6ED276F60AA73F3D63A129488D82A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047839Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:34.613{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496095DA0A9DEC34871DF312CEE648F3,SHA256=45F7C0200DE47ECDFD8D8ACB69A0F18DC5E4BA739DB87AA2F1897BCBDD778464,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028881Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:31.984{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028880Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:34.367{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B8AB7130A4BAEB59A3A6FF6F4E4A2C,SHA256=90011D566E6FECA9C2C400B62D1113B166D698D5378023764DD323F4ECAC91B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047841Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:35.627{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72F9827FBFEF1135E49D190584A731C,SHA256=53CC4A8FEAD53E10C28698A6C6C90AED866A960A86FCA3B1128C1E2D7E5F67B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028882Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:35.382{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1F32630EDF9ECFF055172E7B488A6E,SHA256=9E5E444292817A0809F46564213FE34BA91FA927815F46FA1903071058864192,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047840Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:32.208{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local50468- 23542300x800000000000000047846Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:36.642{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F94473A102124425CAE3B47D92149D,SHA256=57BFC5E8BA62BD6A51B0C22BB6BF2384816179A7B44E14669DABC1D0B1E65312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028883Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:36.398{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713435AD121D5E629ACEF9537B75DEC1,SHA256=588E969256EDB30EB7F5939EEBCD204E30084F2F1BB5A4256CABCCDDDE3D9461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047845Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:36.375{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A07A01223FA96F36AD3CCA4C41028861,SHA256=990AF5EE3B061A7E4B344DDBCFB8525FB5BFF3CAF664E41F03B803DD46AEAA82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047844Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:36.211{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047843Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:36.211{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047842Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:36.211{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047848Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:37.657{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EBB99AFF7532DF9D23474BE700EF95,SHA256=57F9BD7A79781D9B6B4E301BF40BFEC3C51E5C3255F6C6FBB5511A538D975E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028884Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:37.414{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA74C68972A3BB0D0BE5A26779E50F5,SHA256=5C21E0F61F0770F05B1AECF971C83172CDA873755B9EC1A234E68D851E483278,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047847Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:34.805{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57398-false10.0.1.12-8000- 23542300x800000000000000047849Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:38.674{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1028B813F5A3091B0ED7CA80B90D82,SHA256=88ADC269DF3B1D1672F93D4E5F613498186D3E712DDE077DADA3EDCE064FA197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028886Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:38.445{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6923BD65152BB7CEACFD6AD5D521935,SHA256=5DAE5739B03D1920DE401933B11E8D355AD513C74978113FBCE43F350F6A62B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028885Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:37.077{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047850Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:39.694{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833B7DE3BA1A1AA5443ACE2E96BB7E01,SHA256=4633186D88EA255557F1F54F45913783FDA2226DC29F1E9AF31BAB7CA6F46AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028887Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:39.445{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635E160A6F9F46899564D88802855A22,SHA256=C898C47B7D9796C35AC500CEC040D6D86285E57DCDF4FD7DB8485226448C75B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047851Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:40.709{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A705F406D5D51172257625E4FD161EF3,SHA256=5710EE4271053E6C676A84848E80BC8B2ED47F8E4F1FF73ADFE5D4D6F09A6ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028888Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:40.450{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA18254A992A08E8A05F2820EB3C4FE3,SHA256=DC832A6B9D00E631FE937B5198E849CF2C37C55ADB41F5EF29C1E813B5EFFCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028889Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:41.450{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3DC78BF65F5C69A21DE6F3274C295D,SHA256=1149C189E6FBBAD06106678591D0CCCCABFAB6B7C54C8BD3A6C6CB07B98E4C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047852Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:41.724{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AB25F98EC480F088A535EAD3106660,SHA256=186942BA164B1785CDA4E23AA7C740EED476074FC6E9E70015FC9C69AF50B9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028890Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:42.465{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EBCC5911A35AB58493EE00332730C0,SHA256=02C99651496C0DB021768C2F9D02142C8C343C94B8437F6B9C385469A9235E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047853Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:42.725{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B393D5F8D87A09AD7D45E331F50C7A45,SHA256=943718DAC686F88101343FAD71D038ACAF1C8DC4614D2C391160E650B95AD580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047856Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:43.729{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B4B600F4661F9A318C293B3A0CFA5F,SHA256=AE9C1288B521F1D7A8B910D8409874A89D1C9AAA8E0FACF5D4F5D8015C8057CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028892Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:43.482{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A238CC870E0480EC3B8AB3B150F47CA5,SHA256=328CEFE1F5A15DE9CEDF8C6D6141579F7286CCCD1A253626FDB8F8E671BC7C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028891Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:43.078{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-110MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047855Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:41.720{323FE7D8-022E-6136-1000-00000000F001}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x800000000000000047854Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:40.785{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57399-false10.0.1.12-8000- 354300x800000000000000028895Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:43.052{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028894Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:44.512{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD8349A3AC33CEB900CFC64CD07692C,SHA256=82676FF61A29E4001B7CF6933F09B2FA74CFA42672C3064BB0382627BC545CE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047901Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.360{323FE7D8-022F-6136-1600-00000000F001}13081976C:\Windows\system32\svchost.exe{323FE7D8-1ED0-6136-5D09-00000000F001}4876C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047900Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.360{323FE7D8-022F-6136-1600-00000000F001}13081348C:\Windows\system32\svchost.exe{323FE7D8-1ED0-6136-5D09-00000000F001}4876C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047899Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.360{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-1ED0-6136-5D09-00000000F001}4876C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047898Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.344{323FE7D8-0537-6136-5702-00000000F001}27564164C:\Windows\system32\csrss.exe{323FE7D8-1ED0-6136-5D09-00000000F001}4876C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047897Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.344{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1ED0-6136-5D09-00000000F001}4876C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047896Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.344{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-1ED0-6136-5D09-00000000F001}4876C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047895Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047894Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047893Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047892Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047891Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047890Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047889Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047888Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047887Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047886Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047885Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047884Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047883Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047882Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047881Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047880Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047879Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047878Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047877Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047876Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047875Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047874Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047873Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047872Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047871Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047870Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047869Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047868Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047867Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047866Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047865Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047864Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047863Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047862Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047861Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047860Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047859Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047858Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047857Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:44.044{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028893Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:44.092{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028896Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:45.530{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2142358435205A5BD689B9E77AD62E67,SHA256=BBF74E870519BD56BAA2975C0F805797C1187775E63E1526C4315565837335E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047904Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:45.396{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C6053ECCC3DB334876C16B88164AE89,SHA256=9EFC0656BCE5A0911FBD8E55429F814F8C2A8C555A61C1825E65529B08EBB263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047903Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:45.396{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=965A9E2A44F47E37C74562E7147E82B7,SHA256=A69D048AB277B794A43F8BB716CADDCCF8808BDEE5D333A83664598B5CB84579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047902Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:45.028{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7715270D587E819F17CC9886499B9910,SHA256=58E97DF583FB61B925F4735745AD035474614EBB829E53C45693BC728246BA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028897Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:46.545{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4722250CF8DEB7ECF91880BA7C4DFB00,SHA256=E72F8F05E01D4683F871EC1E86FAEB156EC50267ED0BADC653EA26078DD54C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047905Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:46.043{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DF11C69917F26CF1E670D784F5180B,SHA256=B5BD18796CBD6CA9B8D9293F2D1B6750C3C0D5A80C9FA6B43CC9E80B189C1B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028898Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:47.545{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EDECFDAD5AB9C7B806447D9EF53ADE,SHA256=6D259A01840226A5F1DF6B51C0923C0A681B6073F71E1C8643338041192D9F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047906Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:47.044{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E35EB5654BA5998E6F0B12251C19829,SHA256=17BF4388E8FA776E070193EB20E9C7ED7B509B7E39561E05B611E08079A9054D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028899Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:48.561{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC2511559D9031F56AE77D353F1E898,SHA256=2E7B301EFF3154762B3221C68174294D6A35E55FE1CDB1B996713B9835F1625E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047907Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:48.059{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E23DA6FCC885472330BD7D6EFCF69FD,SHA256=4E6F0871848CC22A663DA79F6963CDF18F8A9490BD32C3DB8062CC5EA14574BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028900Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:49.576{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E6D409196A09CAE20F3FFBE6A025F3,SHA256=2E89E257C95E232B2E3F10F2BFD671C26D84E7528D3808F5C70F9DE44CDB00A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047909Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:46.790{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57400-false10.0.1.12-8000- 23542300x800000000000000047908Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:49.061{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B308675FFD9FCFFA55FC5716576CCD,SHA256=BD1658D71201193D3C868D9FF1F9F005C1917C85DE6FFFDF051E205EBC7CA00F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028902Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:49.053{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028901Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:50.576{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C011535A9F02F86A6A184D927958CEF,SHA256=D5C41CC3EC333F4EEB3506808C1947829A716EAFC955179B3D748E50860FA2CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047923Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.734{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047922Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.734{323FE7D8-053B-6136-6E02-00000000F001}44404908C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047921Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.528{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047920Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.528{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047919Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.528{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047918Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.283{323FE7D8-022E-6136-1400-00000000F001}10961968C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047917Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.214{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047916Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.214{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047915Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.214{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047914Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.198{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047913Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.198{323FE7D8-0537-6136-5702-00000000F001}27564164C:\Windows\system32\csrss.exe{323FE7D8-1ED6-6136-5E09-00000000F001}4704C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047912Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.198{323FE7D8-053B-6136-6E02-00000000F001}44401692C:\Windows\Explorer.EXE{323FE7D8-1ED6-6136-5E09-00000000F001}4704C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000047911Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.094{323FE7D8-1ED6-6136-5E09-00000000F001}4704C:\Program Files\Notepad++\notepad++.exe8.14Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=8D93FF22077355875C7BC59CEBE98B4F,SHA256=A345288CDF2B0A43B64E0C3264FC2839A76C98835CAC1A1920D68E21DD444EB3,IMPHASH=D3A8B6DC8BC0179C654D96C4AD61A9D1{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000047910Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:50.061{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4707DB8D4230DFAA5899F3553E7158E8,SHA256=005697DD2C325A742BCDC3B93AE10B2D2D3CBB203E0477A4DD87AA7BF8762FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028904Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:51.717{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8D1366F650405B3A25D1E0C542E7AC47,SHA256=8003C6AF0377AF237C8E2F948A51CECC77DC3E793AA8B250A1CEEB91782CB8DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028903Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:51.592{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CB651A889CC9838CB1862340316CFB,SHA256=9DAECBB7F452CB54DB87844C71AD570F1072CDE00B6CA4FA0217ED2FAE2FE96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047926Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:51.104{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625D469345DD45995A98DDFE540B7226,SHA256=9AAA660EA8C5CBB632AC35DF5372F97BCFEE30E6A0092C51F1919BD5EA739758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047925Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:51.104{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C6053ECCC3DB334876C16B88164AE89,SHA256=9EFC0656BCE5A0911FBD8E55429F814F8C2A8C555A61C1825E65529B08EBB263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047924Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:51.088{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B6FF7AAEA5EE90064832904BDBDE79,SHA256=B49BEBA085FC6FE9DF761DB3B690D7A373A588D7F1887EC3DABDB71798C86EE1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028915Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:59:52.858{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000028914Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:59:52.858{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006877f5) 13241300x800000000000000028913Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:59:52.858{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31f-0x14f1eb7e) 13241300x800000000000000028912Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:59:52.858{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a327-0x76b6537e) 13241300x800000000000000028911Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:59:52.858{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32f-0xd87abb7e) 13241300x800000000000000028910Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:59:52.858{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000028909Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:59:52.858{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006877f5) 13241300x800000000000000028908Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:59:52.858{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31f-0x14f1eb7e) 13241300x800000000000000028907Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:59:52.858{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a327-0x76b6537e) 13241300x800000000000000028906Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 13:59:52.858{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32f-0xd87abb7e) 23542300x800000000000000028905Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:52.608{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369A3A01629650D62D47A71A0E98974,SHA256=AC05E389CA764D4ED142C586D25962AA22C0044D06995C779082ABBCBDBDA880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047927Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:52.103{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB0A4DB6E859331DA839E5EBB1E7E70,SHA256=45E478D5C4368222B0FD60A073949CF4DC5E03123323B1234941441C3F299B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028916Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:53.608{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E69FB346D32662B0B97EAEA7C037A3,SHA256=F571E3932E20803433AE218B4AE5013F898C4BF785A15945B443A536E297A57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047928Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:53.133{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3D896CEDC0FF54B0BF25485F3AA214,SHA256=735A791FA50607B1FCC34B56BC2A2CF6EA327B70CDCC41B3EA9CBD262C94DD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028917Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:54.608{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C43F11F3F70A1839896CFF2A6A37B0F,SHA256=2F6CF8B53F3E5C5866B27EA0775B2AC3E741EB7A0EF4EFD630097E24C23B99FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047930Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:54.868{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-118MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047929Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:54.164{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB7D72422BB12DED493377601A8FD0A,SHA256=55E3A536FC7A52E750A7D1AC3AB89D61B66C377953C38ABC5A5DE3A150F1B6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028918Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:55.623{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A21D926CD93054648F87446ACFA2A0,SHA256=ED34813D6B310F0BAD37E52AB9D242EC0F8CE5FE26751A43FD322A324F8CF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047933Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:55.880{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047932Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:52.626{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57401-false10.0.1.12-8000- 23542300x800000000000000047931Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:55.182{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F307ACE654D8DE22F797D6F04DE16161,SHA256=62ACA1341B35B2C13454827053F5F5A623AC90CB8553CCCF38317575EDB60578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028919Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:56.655{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D0CBC15383FB7BB208139333C02C62,SHA256=79BA31C2A3D0F0613E41E8B869A9177BF5A8823DF9095B145C564AF499CF1FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047934Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:56.201{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367196045780E64734478A7A2151C878,SHA256=60EEEABB0BADED048798505C5864779A1781C191E39449BAD55A3AD7CC0DBFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028923Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:57.701{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D9226DB7A32531742BD6FE0F5C78E5,SHA256=BBDB55497C51B37218F49FC360342DED3B0929B7EFBFE4B693195552666678A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047935Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:57.216{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61853CAB79B5AC67F2EEED84A6FA78EB,SHA256=DC167494C547262593188145857EC3BE07F8EE38DEF3B6D5E2B3A2D7334DB782,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028922Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:54.959{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000028921Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:54.510{FFF7FB96-041B-6136-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-353.attackrange.local138netbios-dgm 354300x800000000000000028920Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:54.509{FFF7FB96-041B-6136-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-353.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 23542300x800000000000000028924Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:58.717{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCC178A280FB7650851A795F56A35B0,SHA256=DA0A5057EB58612928E50E556061C6B7AEA703B9850A62EAE995C58E7206294A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047936Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:58.232{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD63FCEA44951237C9DC86B6033191A,SHA256=804903CCE5BE13435D889BBB17C74BE68261F095CFA539C23DE2480561D71AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028925Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:59:59.720{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DEBE64AD80B4F86F2C601BC23C2AA0,SHA256=7A8A7CA8F1D600D97581AC25F942AADE802C56EE3952DE39FB6317CA31869EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047938Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:57.840{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57402-false10.0.1.12-8000- 23542300x800000000000000047937Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:59:59.241{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8756BA207A5958DCD3CA6C939E44970,SHA256=942AD9F1D9C0D6C8D9EDB48E25BB0AD61902EA75FEEF89C6815D5F934532F3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028926Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:00.720{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3315D604FCEDA283A6D821B217382CB0,SHA256=E1E6F054B96103B9141F335C840E80D6EEA029833FEDA857121D40C25CFA0BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047939Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:00.242{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52221B83141C15E729D6EF9DE31E8E2B,SHA256=5C20C80FD3C556A285EB729D39500750CF1578196B7646D237D793AF95452882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028927Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:01.751{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823EB6B8858B8FB894DDFA1F92A974A1,SHA256=CC01FB3A5663733F2AB44CD22EEBD50E5C9226182B62F41CF5FA4141D59E7F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047940Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:01.242{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD3D7A1DFEAC487665C634F588B5111,SHA256=DB655809EEEE068CAC22718DE57594EEA40DEF073225765B3B03F8FACC82B827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028928Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:02.767{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60AF2D9B6B09D524D9DD632EDF8D54A,SHA256=760DDFF0551D9833A68DEBCB6176E52B4BB2C2FFF4F287FC2789A19FD3BA30D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047941Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:02.243{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2FCEA4A7D58D9669FA27152527C02A9,SHA256=7F2D624DD477720C3C9A7ADC4017326DF87EFF7E99E18B5E48C696AEEDBB98E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028930Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:03.783{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8664C5D495C43655AE8FE8C013D595,SHA256=119B69350719DCDA7861B1285238032FBB44B6FC4840C8E2035A329D107C3EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047942Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:03.248{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29545797214B28576D9302B3062BB3E5,SHA256=0EEE0C603070EDD9B41CF51B336C0823C56370A682AF95E518FA4494F36A1249,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028929Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:00.931{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028944Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.798{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC29EB6B33C4FA40E897796BB4F75F7C,SHA256=C7FA072F3DD57FBEA6153BADFEB8E2BBA72E978B960AD54707B0B72C9175042A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047951Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:04.432{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EE4-6136-5F09-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047950Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:04.432{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047949Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:04.432{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047948Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:04.432{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047947Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:04.432{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047946Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:04.432{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1EE4-6136-5F09-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047945Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:04.432{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EE4-6136-5F09-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047944Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:04.433{323FE7D8-1EE4-6136-5F09-00000000F001}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047943Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:04.263{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD32BAFC5C83E4BD4DF0682B096B6EDB,SHA256=DDE9D0020A086C9E0B43B477653DA1B4530CDA73A73DB564D675756643506C9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028943Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EE4-6136-D606-00000000F101}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028942Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028941Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028940Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028939Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028938Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028937Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028936Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028935Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028934Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028933Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1EE4-6136-D606-00000000F101}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028932Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EE4-6136-D606-00000000F101}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028931Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:04.705{FFF7FB96-1EE4-6136-D606-00000000F101}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028973Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EE5-6136-D806-00000000F101}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028972Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028971Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028970Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028969Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028968Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028967Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028966Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028965Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028964Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028963Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1EE5-6136-D806-00000000F101}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028962Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.892{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EE5-6136-D806-00000000F101}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028961Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.893{FFF7FB96-1EE5-6136-D806-00000000F101}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028960Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.814{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755B020DB466C03E9773574A7AADE6DC,SHA256=32F61B45E30424A89F69DB04F526AF31248C58993D67AB23A4CBE49D2AF6FD6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047972Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.706{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EE5-6136-6109-00000000F001}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047971Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.703{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047970Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.702{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047969Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.702{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1EE5-6136-6109-00000000F001}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047968Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.702{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047967Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.702{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047966Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.701{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EE5-6136-6109-00000000F001}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047965Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.700{323FE7D8-1EE5-6136-6109-00000000F001}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047964Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.596{323FE7D8-1EE5-6136-6009-00000000F001}1005528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047963Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:03.809{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57403-false10.0.1.12-8000- 23542300x800000000000000047962Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.453{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFEDC4144172AC691A3672DDDFFAD716,SHA256=FB1DA9F186C0626C676333612010139A88B42910E57C2012A90164B9BA789575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047961Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.446{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625D469345DD45995A98DDFE540B7226,SHA256=9AAA660EA8C5CBB632AC35DF5372F97BCFEE30E6A0092C51F1919BD5EA739758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047960Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.306{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CC0559F7130F9970E3A427D2ACAA1F,SHA256=287A06F4B5F60B8544B33A07C273CE87341E95ABCBDFC54ABD036027EA54C981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028959Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.783{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=685FD5AAAD8711ABDAA02BD06BAE66D6,SHA256=33B390FF4C43293FF53776C05F985D1144A8F371C7DD07C039389C1472FFA498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028958Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.783{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0939B0D9D407DAA3B2B4C0C1C1B55214,SHA256=2B0EFA5E18DB011B798BB2A5BC8702DF8AB9FCD3FEA01DEE2EABDB5C8D774D87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028957Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EE5-6136-D706-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028956Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028955Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028954Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028953Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028952Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028951Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028950Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028949Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028948Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028947Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1EE5-6136-D706-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028946Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.220{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EE5-6136-D706-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028945Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.221{FFF7FB96-1EE5-6136-D706-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047959Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.119{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EE5-6136-6009-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.119{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.119{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.119{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.119{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1EE5-6136-6009-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047954Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.119{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.119{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EE5-6136-6009-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047952Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.119{323FE7D8-1EE5-6136-6009-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028977Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:06.892{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=685FD5AAAD8711ABDAA02BD06BAE66D6,SHA256=33B390FF4C43293FF53776C05F985D1144A8F371C7DD07C039389C1472FFA498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028976Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:06.814{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D16C0BC1E51CBFF0C495FB4682A4A3B,SHA256=7687F44C1D70C58DCF41B121D5D17DF656C663C14E8449DE790DDE42C4091A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047974Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:06.706{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFEDC4144172AC691A3672DDDFFAD716,SHA256=FB1DA9F186C0626C676333612010139A88B42910E57C2012A90164B9BA789575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047973Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:06.323{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC8B90943E89B0755D064936873CBA1,SHA256=A212C1AD33051E617A34062076434184B9E6CBB65869962B04D51C9F31021453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028975Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:06.126{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028974Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:06.080{FFF7FB96-1EE5-6136-D806-00000000F101}37162668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028992Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.845{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29BCFFA888B929A802783F3844A4B39,SHA256=1D4BE82A1E0D0FB1195BB62A34117274F29C311CF4E28CCF41706155D627C2E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047985Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:07.823{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EE7-6136-6209-00000000F001}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047984Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:07.823{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047983Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:07.823{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047982Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:07.823{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047981Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:07.823{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1EE7-6136-6209-00000000F001}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047980Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:07.823{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047979Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:07.823{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EE7-6136-6209-00000000F001}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047978Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:07.824{323FE7D8-1EE7-6136-6209-00000000F001}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047977Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.377{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57404-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000047976Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:05.377{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57404-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000047975Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:07.323{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D7DDCFAC8AB21F49A43463E3DE0618,SHA256=CE5E95E81B6F503241E412D93CA1EBEA7B4E6853360BDFBC78CA96E61891EE73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028991Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.533{FFF7FB96-1EE7-6136-D906-00000000F101}4322972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028990Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EE7-6136-D906-00000000F101}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028989Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028988Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028987Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028986Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028985Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028984Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028983Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028982Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028981Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028980Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1EE7-6136-D906-00000000F101}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028979Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EE7-6136-D906-00000000F101}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028978Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:07.330{FFF7FB96-1EE7-6136-D906-00000000F101}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047997Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.838{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A265EF432B1A9CEA92F0C320D7596E66,SHA256=F8C1D8F3F187F5535AA41727D216F4DCC58109E232F604ED72209B01CACF7638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047996Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.638{323FE7D8-1EE8-6136-6309-00000000F001}63523444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047995Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.438{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EE8-6136-6309-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047994Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.438{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047993Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.438{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047992Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.438{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047991Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.438{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047990Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.438{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1EE8-6136-6309-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047989Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.438{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EE8-6136-6309-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047988Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.440{323FE7D8-1EE8-6136-6309-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047987Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.338{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDC05392F85F1A1C6FE4FF5DAB432F9,SHA256=9D3C17CC232122A3552BB462DB1D276CBB4D854090AC11E09EBF972061F726A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029022Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EE8-6136-DB06-00000000F101}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029021Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029020Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029019Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029018Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029017Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029016Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029015Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029014Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029013Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029012Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1EE8-6136-DB06-00000000F101}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029011Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.673{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EE8-6136-DB06-00000000F101}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029010Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.674{FFF7FB96-1EE8-6136-DB06-00000000F101}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029009Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:06.884{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029008Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:05.962{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029007Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.361{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B0FB7679E1B8044464E907C0C9A4C20,SHA256=1B66B8923D46F6CA90786EECF9B95C472A0AF17C7A00B9A048C2D61FCEE2110C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029006Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.173{FFF7FB96-1EE8-6136-DA06-00000000F101}26801656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029005Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EE8-6136-DA06-00000000F101}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029004Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029003Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029002Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029001Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029000Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028999Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028998Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028997Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028996Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028995Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1EE8-6136-DA06-00000000F101}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028994Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.001{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EE8-6136-DA06-00000000F101}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028993Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:08.002{FFF7FB96-1EE8-6136-DA06-00000000F101}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047986Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:08.086{323FE7D8-1EE7-6136-6209-00000000F001}61084952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048016Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.912{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EE9-6136-6509-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048015Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.912{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048014Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.912{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048013Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.912{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048012Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.912{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048011Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.912{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1EE9-6136-6509-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048010Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.912{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EE9-6136-6509-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048009Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.913{323FE7D8-1EE9-6136-6509-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048008Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.512{323FE7D8-1EE9-6136-6409-00000000F001}39762452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048007Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.371{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC8B26FCBC7E73463DE6B2EC53E1EAA,SHA256=4A70D05284F544CA24AA4FE2BD37397FAEFDA669F0DA81645251179B9FC94D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029038Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.705{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBC1701E1A43184CC7E2DB2BCD96E65B,SHA256=6AF7ED45B154F655B4F47B99CF70C3AFF4546CDDAC8697A2316A63A688F3B2E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029037Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.455{FFF7FB96-1EE9-6136-DC06-00000000F101}40921132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029036Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1EE9-6136-DC06-00000000F101}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029035Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029034Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029033Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029032Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029031Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029030Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029029Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029028Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029027Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029026Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1EE9-6136-DC06-00000000F101}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029025Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.298{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1EE9-6136-DC06-00000000F101}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029024Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.299{FFF7FB96-1EE9-6136-DC06-00000000F101}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029023Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:09.017{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CBE93E0256B3A0B5F49F07F4E4D34D,SHA256=0F2D1E857B8DF1CC3F425F4B49C5DEE17243F2EEDD9974D10C11F8704C816F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048006Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.138{323FE7D8-0690-6136-1905-00000000F001}4808ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=6345188FEF55C207EF0C80F70EF89AEA,SHA256=F1D63382434D03C1EEC294BC3C38526DF337B9273FE32AECF95DFA2BAE52B62D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048005Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.038{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1EE9-6136-6409-00000000F001}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048004Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.038{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048003Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.038{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048002Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.038{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048001Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.038{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048000Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.038{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1EE9-6136-6409-00000000F001}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047999Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.038{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1EE9-6136-6409-00000000F001}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047998Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.040{323FE7D8-1EE9-6136-6409-00000000F001}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048018Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:10.396{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51751B6FB33C5FB6EBA81E7D2F3756A6,SHA256=26CA192875D28684BFFD0021EB2192F5E38E1DB4E937F08CA8CD2E180777176C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029039Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:10.173{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BB4B9B5CA46F0EB65AC3D786F97FC7,SHA256=1E6614F13853635762B1716540DE6E5942D851B238D7F0DD7C8E00AF4A0A80C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048017Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:10.065{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBDFC945FF2CD5BA7E3DD8C57D43BB40,SHA256=98E69C3D2482B1B1E957E44D1559BBD0DED36DA8659D1EAB09FD8EEACA15B9C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048020Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:09.820{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57405-false10.0.1.12-8000- 23542300x800000000000000048019Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:11.427{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1628F9D9D0E7B932F1F3E6CE8D03FBB5,SHA256=012218063398F174A349A9442052A5BAB1978510D685836808D464721575CA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029040Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:11.205{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB9E385D86924FDFBF4E6632561A55B,SHA256=9E285D7AAC0E180359A9791321E67DF332C9DFA04491A087FDC6BE1C680729CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048021Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:12.431{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B21131DC87DB47B9ADA0567AD540CDA,SHA256=D4FE4DED73142185204E493B90873DB7A039DDB8E325194F75F4B8625BF75E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029041Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:12.236{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CE4F7BDAB2474F83526890F7D53291,SHA256=BAC57819597CB3C6EE0F213F1BA6923585F524E212B0DC7F40BA857C38198AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048022Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:13.432{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA25B7736B542BC2BBF5F5684C12C806,SHA256=C72D4A173C3747AE5156225E275DF6B938C90145377D4C31B1580402B2E2C41D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029043Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:12.103{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029042Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:13.298{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF404BA4F01B456B295308657E15DAD,SHA256=C284BBE3A0301544940334DA260E94AC6652E84F4FA0E652FB6C68E9BF0DA423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048023Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:14.432{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E84428A037B6C54DA476BB317CBCAF,SHA256=80D239FCCC4C4B3877560A2BD33DA819CDAFA3CFB1BE193D7EB4F6760E5AD414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029044Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:14.345{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE420395BD3F6963A86A866299C68F49,SHA256=1FB8A6904E67026AAB683E777745F478C9C63DDA6598507F3C79FFBA329B306B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048024Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:15.435{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ECE96AB3CCDA683775D5F6676D3AAA,SHA256=A3EFA7DA8E5C609125B6D3CD5630CAD6655DD4E0D42C193A9A9139214795B57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029045Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:15.361{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D2749ED74F823D8638D73BDBC20DAD,SHA256=15059E5AFB88AC21D2FC5D5A24C68DF1F10FBEB4A97682CD6772B61045B7959B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048026Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:16.472{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEC844AB6EB02E7A5CE5D63F79A9C8F,SHA256=7CF51D6D24B6ECAA5572564A2A3270FAE2780C842C0C406BB0F867965DF8622C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029046Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:16.376{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9E4C5F860A66FA18A8E3AFA3BF3109,SHA256=53CB3D832783274A01109B83D290006726DF1D3FFB38950CFDE7243EE77C5981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048025Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:16.134{323FE7D8-0690-6136-1905-00000000F001}4808ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-06_140009MD5=58C6B4DBF7A98BF4D92679271E27C7B3,SHA256=A629D3070374E5F35127D04D7D32151B8261B21C7215A1E43BCA3543C2748A7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048032Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:16.147{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.14win-dc-456.attackrange.local54732- 354300x800000000000000048031Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:16.147{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.14win-dc-456.attackrange.local52445- 354300x800000000000000048030Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:16.146{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local60813- 354300x800000000000000048029Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:16.145{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57620- 354300x800000000000000048028Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:15.680{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57406-false10.0.1.12-8000- 23542300x800000000000000048027Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:17.487{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948E00E9E43A9A2D8BEEE1A35279CA69,SHA256=6FBF71403FDF3D513329C48A718A866DE86A531F63EEBF86D0378F9212CF911D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029047Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:17.392{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C600713FCB1CD3EAAD5033A5C000663,SHA256=C813FFEDB57F07E4D771FA55D8F3587C1D0D98DC6C5F3430FB29D79FA77CA810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029048Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:18.455{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7405DFF4C7787C3E4EBB368F7917C6,SHA256=ED3E54F90E801DF9B806615F32C20EC5112DC0116BEAD771D75D056E33E0E2CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048033Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:18.517{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F061EC65A7CDCABBA0D48BDC153BF73A,SHA256=93D0D3EE01F1A7ABE40F5EEC91C43A6D96140C64CA7E5330145EFD2D9ED2DC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029049Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:19.501{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA835AE600B6C924B9C7147924BE1A0A,SHA256=C294F473714003C4F51E7F00B056B102A182369C06920B751D4B0D7796028BC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048037Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:19.786{323FE7D8-053B-6136-6E02-00000000F001}44405196C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803046D18A8)|UNKNOWN(FFFF8659940A5B68)|UNKNOWN(FFFF8659940A5CE7)|UNKNOWN(FFFF8659940A0371)|UNKNOWN(FFFF8659940A1D3A)|UNKNOWN(FFFF86599409FFF6)|UNKNOWN(FFFFF803043E9103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000048036Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:19.786{323FE7D8-053B-6136-6E02-00000000F001}44405196C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803046D18A8)|UNKNOWN(FFFF8659940A5B68)|UNKNOWN(FFFF8659940A5CE7)|UNKNOWN(FFFF8659940A0371)|UNKNOWN(FFFF8659940A1D3A)|UNKNOWN(FFFF86599409FFF6)|UNKNOWN(FFFFF803043E9103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048035Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:19.786{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF70757d.TMPMD5=4F8EF1C2D0CD074D7EF5CBE84B3E29E6,SHA256=5DAD2EEF2DD790596120355F9CB5804457452E6EEBD4F53B0DF824C4CF2242DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048034Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:19.532{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AE5EF9C9F80C1C217C14565B1F77A9,SHA256=1C533A167BFA03B346770F4FC135EDD2C301CDB2E8C160D05A19735F5D6E678F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029051Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:17.978{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029050Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:20.579{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025153914076F5131803AFB95958F9D9,SHA256=8CF033814E72A3152646A03C730AB629EF027034420B3E4D66CBE554D157B018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048039Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:20.551{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0640A2F1F6AB007A2603D69888EDAE30,SHA256=421D6AC07550B6BB851FA67EA701C10A5BC4A99EE9A8973A2A7A7668D0A5BA5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048038Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:20.517{323FE7D8-022E-6136-0D00-00000000F001}9045860C:\Windows\system32\svchost.exe{323FE7D8-053A-6136-6302-00000000F001}4892C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029052Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:21.579{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03CAB70A61CCADC07901580B1969E5F,SHA256=AA5DE4BD48BCC010CE34669A3D4B06983815155BFBCEC8CC2136A19562C4CC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048040Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:21.558{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9EBEFAD052BDC6E10A88EA9835A74B,SHA256=0B9BC9A9FD4E14198EA8979B6745D309B1648F8C5D8CB8F30EEE97C03D7DAFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029053Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:22.579{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AB77A7283F8E01141A9E1253301643,SHA256=6B1B56DF42512C1ACD128EE6E677E8378A33B3FB6AEF2ADCE289D960CA8FE2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048044Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:22.923{323FE7D8-0690-6136-1905-00000000F001}4808ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-06_140009MD5=AA1F8526B0AFFC4E3840B3165664785F,SHA256=443B85D8E0606F587CA63BD7A37FFF32C28A0B30A460BB7FA5F784E63FC29AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048043Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:22.908{323FE7D8-0690-6136-1905-00000000F001}4808ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048042Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:20.718{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57407-false10.0.1.12-8000- 23542300x800000000000000048041Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:22.577{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE54C8DAA34B2FE5249324FC11DA7B0,SHA256=82CAFBE913E6F2C2F856E4119C923F49693EAEA9351C57176FCABE32A5432797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029054Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:23.579{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C5E443710EFFE158DD1088A1AFE346,SHA256=F135DFFABFE543551C664D6035637AD7CCE7C1D2A391E766ADF5DE2003CBC03E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048045Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:23.607{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D02DA3148C4CBE3A7C8C75F248183B,SHA256=FADFE832197F619F46C4EF9DFECB8B102000BE4E72F0FB8B1342B5BD98F2B5F4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029056Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:00:24.938{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a327-0x8a428769) 23542300x800000000000000029055Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:24.597{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEF409C6CCC5D9B45B6084F78C4EF13,SHA256=367471DF881E800C279B8C01FF9ADB9708162632B7026B2E8A0D568A7B247DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048046Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:24.623{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE42FF233DD58737D621B6E2B5BADD4,SHA256=AA34003DA8B4324D97CC3A6568B5B32EDE8404760AAF831A8C7A96846ACBA633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029057Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:25.610{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF93C53D0C3A032FD99FD618CB3CB8CE,SHA256=F9E1181F1B833A544AA70399BA49AB35B682F473B815E06AA35523B24C397D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048047Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:25.655{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7DEDE148DC404806FE7C2774FDF47C,SHA256=8E2984CFD6E7ACBC7F3C2E6DE846C9378F967460B986908EF0697A2F08444D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029059Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:26.610{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93A9174593DC41BFEFFECBB851E95EB,SHA256=1E98F853EE4A02947DE14D83E1FF933222D0B3BC33CB843B4E0615387F7725A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048048Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:26.659{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE190D8A9A08C8367411751E06495AE7,SHA256=0FDB176A0867B0E164C4AA928DE158298554F96E1DE88FCEE3A7AFB221ADA19A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029058Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:22.992{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029060Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:27.610{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558598FE174931CE01442B47079AE23B,SHA256=965E933555D7F3BDD826F1522E9038E6A3AE28F87DAC61E1EB185C7478AF10D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048049Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:27.663{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480E197E6095AAEB2A95EBCCBD6E60F1,SHA256=02FD50204275364533120A9BE133C019BA045A68DFE10CDD29151478A4422D90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048062Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.953{323FE7D8-022F-6136-1600-00000000F001}13081976C:\Windows\system32\svchost.exe{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048061Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.953{323FE7D8-022F-6136-1600-00000000F001}13081348C:\Windows\system32\svchost.exe{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048060Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.937{323FE7D8-1EFC-6136-6709-00000000F001}20041936C:\Windows\system32\conhost.exe{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048059Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.906{323FE7D8-0537-6136-5702-00000000F001}27564164C:\Windows\system32\csrss.exe{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048058Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.846{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048057Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.846{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048056Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.846{323FE7D8-0537-6136-5702-00000000F001}27564164C:\Windows\system32\csrss.exe{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048055Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.846{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048054Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.846{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048053Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.846{323FE7D8-053B-6136-6E02-00000000F001}44401692C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+1f9bca|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+175660|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+17c4a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000048052Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.851{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000048051Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:28.683{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED34705D148431E7217563B2040421F6,SHA256=557EB219A102DF0B48163CAD9CEFD48EAD640D215390B845A6AF4D2C8D39672B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029061Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:28.657{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4305F03B57A0F3EC0DB09DFB531D74DA,SHA256=C7733743672C29605F9C577C067C5C7EDC820C0AF2B59121404ED88E521BEB00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048050Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:25.732{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57408-false10.0.1.12-8000- 23542300x800000000000000029062Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:29.688{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154B58003856E1F218D387BA522163C7,SHA256=B0BB3FFBDC98204682AC61674796D4B2DAF730CD9EC53E483282C2D9EB17F0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048078Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.872{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0F61B6335127FC99FC80F4D71436AC8,SHA256=4559C992CE63F7F99AED0712C7D8A8BB625B7B81294C6DCA5E30A0EC7E1C9B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048077Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.872{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79BA68CF9A033BC32F9D5B78D1A18C89,SHA256=786CFAFFA33DDA44397E0C556D25685136964802ECB83726F93DFD75C4071C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048076Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.709{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1323BB49C3D9B050223F282E57390D0,SHA256=D2B61E7AF30437F026891FB67E3BCFB17E5C25E6FB63D2505CF0030C359E873A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048075Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.158{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048074Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.158{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048073Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.158{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048072Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.158{323FE7D8-053A-6136-6802-00000000F001}51044592C:\Windows\system32\taskhostw.exe{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048071Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.158{323FE7D8-053A-6136-6802-00000000F001}51044592C:\Windows\system32\taskhostw.exe{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048070Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.096{323FE7D8-053B-6136-6E02-00000000F001}44405000C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048069Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.096{323FE7D8-053B-6136-6E02-00000000F001}44405000C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048068Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.096{323FE7D8-053B-6136-6E02-00000000F001}44405000C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048067Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.078{323FE7D8-053B-6136-6E02-00000000F001}44405000C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048066Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.046{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048065Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.046{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048064Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.046{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048063Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:29.046{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029063Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:30.688{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0527BC9D415FB3FBB13E847958233F62,SHA256=0FB8B9F732F6094DFDD629BEEDC7582E55D73B6A8C31FE445F29CEE60AEA3796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048080Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:30.724{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDB11160D800AB70D66D70ABE4CA587,SHA256=A6B59E111B68C5BDD740E483D940E60CF50C5475AFBC51DCB638003C343C5B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048079Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:30.709{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029065Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:31.735{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898D7AF8D1316D83915267D1831AD676,SHA256=21C61502C0F4BE75A2CA2C489A9C644CA99B301C10B06AB6EBFFBC3AB32D957B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048082Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:30.280{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57409-false10.0.1.12-8089- 23542300x800000000000000048081Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:31.739{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D72B548B371647EA999E744C0675FE,SHA256=67550D38BAB4DC142641CB84118C09462B300AEF9E94A03D15A461DDED089248,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029064Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:28.992{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048083Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:32.770{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6711D0255115BD088B270321334244B,SHA256=B4C6D2324F0FC35987D44918C7AA65B7A4C33F6006763AEC0EB371D38EBF7F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029066Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:32.750{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED56C93315885AC8885FBE70C3C37FB3,SHA256=3924464F8E1E91B1FBE2683FEC421B0985ADE5786EDFA14F3C41EA0D28040B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048084Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:33.788{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD93A8718E735353D089641C728440C,SHA256=201618116C98C43694C367B28A6C605C1DCB6FE08ED0E66353E988F9B70BC003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029067Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:33.766{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7AD7E95A3019F379D8E3E3ABDD995A,SHA256=1EA98D1FAC606BB96E732CCAAE962A3AC4DF2FCB02AA9AAB6251AC25229F17FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048096Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:34.791{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987A6ACBA33602AD49AF8057AFF0ED6D,SHA256=1E5C8CC3371C6F4CE3B5D021CD04B6553BFB1A9C40E9B589B907CC90C75DA5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029068Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:34.813{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BAAC93FA829B1FEFBFC16320F5890F,SHA256=EA5982866D09401B1F64594737185682D09411D0ACA215067752461456435394,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048095Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:34.538{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000048094Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:34.538{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0070af1b) 13241300x800000000000000048093Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:34.538{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31f-0x2d9c7686) 13241300x800000000000000048092Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:34.538{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a327-0x8f60de86) 13241300x800000000000000048091Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:34.538{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32f-0xf1254686) 13241300x800000000000000048090Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:34.538{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000048089Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:34.538{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0070af1b) 13241300x800000000000000048088Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:34.538{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31f-0x2d9c7686) 13241300x800000000000000048087Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:34.538{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a327-0x8f60de86) 13241300x800000000000000048086Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:34.538{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a32f-0xf1254686) 354300x800000000000000048085Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:31.732{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57410-false10.0.1.12-8000- 23542300x800000000000000029069Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:35.829{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2A1010A56E5278D599D54EE8E7A18A,SHA256=60C42624B121B94C3E5887D2E5AFFDF5A1C1B3CC7FE918C7053A9045FF631D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048097Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:35.822{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFFB23A0076FCB1585B188A4B8738B8,SHA256=FD2B4BE42D341719596F72842C05C64F11F9FC80D4582E18946424AD82F7EDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029070Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:36.829{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407271D7E4657082E2FFC9315162A5F6,SHA256=B8E188D328AD806C25F09EEF9EE03CD477D8E635D80B3177465D4715047BD956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048101Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:36.993{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1F04-6136-6809-00000000F001}284C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048100Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:36.993{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-1F04-6136-6809-00000000F001}284C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048099Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:36.825{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251711481EC48E97A21D51866F6D2F00,SHA256=307A1403776E0C12013E9CBF6C126B118C1412F35B0C389CEDE2EC9D66E065BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048098Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:36.388{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A82D75529B85716D7497D4A3F767D488,SHA256=A08D92D6229D3585964063E6443EC7ED337F21218B317A7EA1799BADB8D9B986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048117Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.834{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196C047EEC6499AECFDCE6B721BF818C,SHA256=6CF3E38E765191B9CE14608699751FD813698ABFB085CE8082313C74C6B06E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029072Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:37.875{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312A7FEB276E8032870ED02C80A28371,SHA256=42827DD7984829E847A4A57BDB86132D387449DBEB50D0D62070E6CB92BA2DDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029071Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:34.899{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000048116Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.625{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048115Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.625{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048114Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.625{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048113Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.609{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048112Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.609{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048111Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.609{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048110Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.609{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048109Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.356{323FE7D8-053B-6136-6E02-00000000F001}44401692C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\System32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000048108Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.356{323FE7D8-053B-6136-6E02-00000000F001}44401692C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\System32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000048107Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.057{323FE7D8-053B-6136-6E02-00000000F001}44401692C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\System32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000048106Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.057{323FE7D8-053B-6136-6E02-00000000F001}44401692C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\System32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000048105Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.010{323FE7D8-022F-6136-1600-00000000F001}13081976C:\Windows\system32\svchost.exe{323FE7D8-1F04-6136-6809-00000000F001}284C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048104Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.010{323FE7D8-022F-6136-1600-00000000F001}13081348C:\Windows\system32\svchost.exe{323FE7D8-1F04-6136-6809-00000000F001}284C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048103Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:36.994{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-1F04-6136-6809-00000000F001}284C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048102Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:36.994{323FE7D8-0537-6136-5702-00000000F001}27563676C:\Windows\system32\csrss.exe{323FE7D8-1F04-6136-6809-00000000F001}284C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000029073Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:38.891{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75568C275831A7B4D0455F507151411A,SHA256=F8E52C2FFA76667B19A738B4524AB122B01EF67A008CBA504CEFB4C37C01D00A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048141Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:38.918{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=C4B0E46F4155BA37AA06C7AE47B79C4418F8A01D449A7BCE838CF0ADB1C338B3 13241300x800000000000000048140Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:38.918{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x800000000000000048139Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local2021-09-06 14:00:38.918C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=C4B0E46F4155BA37AA06C7AE47B79C4418F8A01D449A7BCE838CF0ADB1C338B3 13241300x800000000000000048138Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:38.918{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000048137Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:38.918{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000048136Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:38.918{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000048135Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:38.918{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000048134Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:00:38.918{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000048133Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:00:38.918{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000048132Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:00:38.902{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000048131Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:00:38.902{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000048130Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:00:38.902{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000048129Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:00:38.902{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 23542300x800000000000000048128Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.869{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4F6DCB1591F997CF4252722D1716D8,SHA256=46282E34103B89F7D4A8609BE1E2236243753E99EEEE04E38FDD55EB7161B979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048127Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.556{323FE7D8-1EFC-6136-6709-00000000F001}20041936C:\Windows\system32\conhost.exe{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048126Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.556{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048125Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.556{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048124Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.556{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048123Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.556{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048122Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.556{323FE7D8-0537-6136-5702-00000000F001}27563676C:\Windows\system32\csrss.exe{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048121Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.556{323FE7D8-1EFC-6136-6609-00000000F001}62925640C:\Windows\system32\cmd.exe{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048120Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.529{323FE7D8-1F06-6136-6909-00000000F001}3860C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000048119Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.009{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C38BE49B0674F84F0F84BDD3312C7FA,SHA256=62F593017B7F26B91E9090EDF4F284E9853F7080F749794FD333D73C5102E3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048118Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.009{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0F61B6335127FC99FC80F4D71436AC8,SHA256=4559C992CE63F7F99AED0712C7D8A8BB625B7B81294C6DCA5E30A0EC7E1C9B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029074Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:39.895{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009BAAF29BE0F77DCF4D635332C6F2AE,SHA256=5850FB17736257874412908623984648B6798084020A58E507101088CCE67F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048144Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:39.883{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBDEA2FA42BEA1ABC7DF59AE9A1D8F9,SHA256=CBE02109571DCF39F1969C0B9C7B52BA2548A825B01288EFEEB1584D72F9304D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048143Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:39.536{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C38BE49B0674F84F0F84BDD3312C7FA,SHA256=62F593017B7F26B91E9090EDF4F284E9853F7080F749794FD333D73C5102E3BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048142Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:39.352{323FE7D8-022C-6136-0B00-00000000F001}624764C:\Windows\system32\lsass.exe{323FE7D8-022A-6136-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000029075Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:40.911{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE0DDB833A8DF29E2B924B2FC54675F,SHA256=BB8AD56275CCC1B211B9F27BAB5569B1437BDF26209929D5DF0CA49301040A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048151Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:40.884{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB283CC8E76889AF82C6DA98959E9A4B,SHA256=7C36AE1F249B57DCB1A5D078A921444D8243D3EDABFE907A8F6979C04CF7E51E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048150Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.848{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57414-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000048149Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.848{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57413-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local49666- 354300x800000000000000048148Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.847{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57413-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local49666- 354300x800000000000000048147Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.847{323FE7D8-022E-6136-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57412-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000048146Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.846{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57412-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000048145Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:37.764{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57411-false10.0.1.12-8000- 23542300x800000000000000048165Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:41.885{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F56D730CCFCB68CD28475936C1C9E6,SHA256=A3DE4DE03CDD2401326E5172CECF35A42DD1504D2637ABA9159CCF3F9FBD6AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029077Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:41.911{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6ED34083D849555796EB6FA4E854C6,SHA256=354D6D007BE45B9F3FF91E3A9B001013E0DBD438FE85E06C84A75B2B343EC81B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029076Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:39.965{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000048164Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.952{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57418-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000048163Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.952{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57418-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000048162Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.949{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57417-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local49666- 354300x800000000000000048161Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.949{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57417-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local49666- 354300x800000000000000048160Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.948{323FE7D8-022E-6136-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57416-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000048159Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.948{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57416-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000048158Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.861{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-456.attackrange.local57415-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000048157Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.860{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57415-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000048156Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:38.848{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57414-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 10341000x800000000000000048155Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:41.123{323FE7D8-0617-6136-F403-00000000F001}44767148C:\Program Files\Mozilla Firefox\firefox.exe{323FE7D8-061A-6136-F603-00000000F001}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x800000000000000048154Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:41.038{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048153Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:41.007{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048152Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:41.007{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048175Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.938{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F63B9175083D24013CDBB73AFE0DD7,SHA256=382175C04856675C372F46AB9B35808D5428726EE46236C8253DF0CC7073A7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029078Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:42.911{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD882D132AFAD3CC2B8D549693816D2,SHA256=00976D18671CDFF527BD0F32EA48FBBBF95B80F549DA15C9C10E878082ABA12F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048174Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.538{323FE7D8-0617-6136-F403-00000000F001}44767148C:\Program Files\Mozilla Firefox\firefox.exe{323FE7D8-0A78-6136-EC06-00000000F001}6040C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f0b0|C:\Program Files\Mozilla Firefox\xul.dll+e75c88|C:\Program Files\Mozilla Firefox\xul.dll+e75687|C:\Program Files\Mozilla Firefox\xul.dll+8d9557|C:\Program Files\Mozilla Firefox\xul.dll+8cda04|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048173Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.538{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048172Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.538{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048171Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.538{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048170Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.522{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048169Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.522{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048168Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.522{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048167Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.522{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048166Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.507{323FE7D8-0617-6136-F403-00000000F001}44766140C:\Program Files\Mozilla Firefox\firefox.exe{323FE7D8-061A-6136-F603-00000000F001}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029079Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:43.926{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7207B8C094EA43F82BEEE517D36EB5,SHA256=B811BAFFB0BF6676D06380430A01014C88004E0D5F905644BC466FD28BAAC093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048176Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:43.952{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD87DE3668744178E97A7DB8010A70DC,SHA256=154E38F4EA8865E0A1758AC09EF8766E610844BDED7A9AC8F2D75B4DC9D080DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029081Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:44.929{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AE2BD20D1296A74D032A214D1A7FEF,SHA256=F68A9C737AF6704295E5EB395E31E86498A543F7FF62894B0BEDACC628CB30CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048177Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:44.967{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F989C7EE895D243410D79A073E3DC3BB,SHA256=E1668101FCE3AC99923B20793F137359313708220A01E3C6220553F6DFEA5AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029080Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:44.620{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-111MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029083Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:45.959{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E477F80C26ACF21645E633B435C717C,SHA256=E700FEA3F30F689C8A87EFADBB7F40B5531C63EBF185BD1802CB8D21146334BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029082Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:45.633{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048178Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:42.793{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57419-false10.0.1.12-8000- 23542300x800000000000000029084Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:46.992{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA88907FC3D2F644FFCE714D6A063DF6,SHA256=FE91E9CE575E559067D7CA77D7DD848A29810FB113719D87919BCBAF554B12C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048179Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:46.001{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B05E3E92B76E0BA7F529B0C58088AC9,SHA256=6524FD048C9E1DDA07107BEB262C6DA05CE11436950E1679068F1D64D671B499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029086Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:47.992{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976CD651BF01C3E637AACF971883CCC4,SHA256=43AFBBF96D22B643FD1E2FCBDF564B7B2C625C4DD14A210B2E64499C84F38BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048189Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.950{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=F108B67537B245EF302C1F91B0C8A502,SHA256=1B5784702660DAFD30122842B4F985CAEFD3B28AEC625996947779A743BCA4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048188Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.950{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=0BF200003EAF96653CA34933A049AD72,SHA256=3E5467A298E85201DA512BD7CF1A95D70254C4BF57F1E7E8E9E134E2E8B6735E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048187Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.950{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=736693AF064C1E43BD1AD3AB6B88C349,SHA256=1B7ABAA3D991EA26633CD2F905D541292FFBD91A4F2C74A27816D96243458519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048186Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.950{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=C244640EB999496D3A30DF9C17E4A1DC,SHA256=D169272A4D1546EBAC01C447554537F6F63B53CC17EBA809DC1AA9EA9BD2D964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048185Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.950{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=0A1FA4A037D5070E1E2922D4916EC9CC,SHA256=DC39EC314DAB4352FD0A5AD47705D6016BBE7475613A1074A7A40E8D673799B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048184Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.950{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=04A9B0F51473F5490B8249D6ABC11A96,SHA256=26A51E0350E096FA6EA97A2985A32E3D898CD348C5996B0EEDE4992C9AAA49CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048183Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.950{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=0EFEB201531BD717F419A0453A4024A1,SHA256=2717B0CE29EE1E1346667CCB02BE03EBF530BA249C566DEC28573824C60A0DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048182Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.950{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=FF09FCE7EADD5D70E5F5E3DB1EE5ED09,SHA256=7379142B535BB1EB93F4AF64CC75BEE15CE8395B51F8A824228F4ACEF5EDED94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048181Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.950{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=73ABE45B3F5C8F2B13AFD4D508EAE0E3,SHA256=4374513024E80716A9BED8AA857E96EE7ADAAC369AAE07677AA402F793132437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048180Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.019{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046A87D504C1721F450D6494876C43F1,SHA256=DA6262C54CE26BEF1322C39BC7023253958C5C74F0AE340CB1CE5B4BCE98E4F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029085Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:45.951{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048190Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:48.050{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C078AE1B3080DA76EF0BBC85496C96,SHA256=9142EC6244FCE12DEF53A745DD3E6913FC13F0FE99154D923198DFD37EFDB295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029087Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:49.008{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114C1D7D954714EA2825C1B5F4813CAB,SHA256=8D097EF1B116B8BDA1F3C596D7C9CBEFCB70B77694ED28564060FFEA7A2A3973,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048192Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:47.811{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57420-false10.0.1.12-8000- 23542300x800000000000000048191Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:49.081{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E71900CCCD399BAAE9CD37AF5B4C349,SHA256=C57D1253078A37900AEF95DBE92A493287DAB5F53B3DBCF0E78D808E28AD1524,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048196Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:50.303{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048195Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:50.303{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048194Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:50.303{323FE7D8-022C-6136-0B00-00000000F001}624764C:\Windows\system32\lsass.exe{323FE7D8-022C-6136-0A00-00000000F001}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048193Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:50.101{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B740AD032521A2A89B71885121FB88,SHA256=62B770C69EC31FB8BCF8B6D412443FDFFE64F16260D38D9568BA62FB15B1E79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029088Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:50.086{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CDC845E3988609D19DF231089BD584,SHA256=954B572D7751377CCFBD6315C59320712EE02CD6740BBC2AC8D4E37936B5048E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048201Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:51.318{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D83292825287C5EA8B75C4D16C883548,SHA256=D85D8A666FC5AEFC8992B014089294F5285305B2B12ACDB4D53C029FCA99B5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048200Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:51.318{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE176543C44EB978E885EB77DAFCB769,SHA256=6EBBA66AD6A7EEC95216D6C43A3ECFEC7B50346D4BECEB614F010FAFA2EA575A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048199Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:51.180{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A919BFA6C76CB1761DCA8FA137F5E218,SHA256=346B4FE28B5A8CC7A7576BFD056EB4A00FC1EDAB63B3E5D7043CA81EA6C42A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048198Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:51.180{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C996247FA842BE708DFFDA41B0BA9EE3,SHA256=2CBBFE8812BC76EEB41A9765C2895DAE24CBF70CA2CDBECD4229B4A25223071B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048197Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:51.118{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8B06A8A4B1421722C344A0ABB69769,SHA256=0C97B97A51BA5208B0E32F6C93676BB6548FC14020CE0DEB08FBCAD473243E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029090Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:51.727{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B8E4E48B71251698E12C1E71D420A61A,SHA256=72939FB5B2C398D5074CA02B2FC20EACEAE5C367A15D3091E47556A00F82FA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029089Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:51.086{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EC98AF61EBAE2FD99B278B294279B5,SHA256=C22DC3851CB69EA1556CB9A2A1E47D0DB250B1C6EDA8345385CFACF7B45C16A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048204Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:49.906{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-456.attackrange.local57421-false69.16.175.42tlb.hwcdn.net80http 354300x800000000000000048203Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:49.900{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local54169- 23542300x800000000000000048202Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:52.133{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20EBF6427EF3499C467A9720215174C,SHA256=7A6950555422B1A4BB35CE7B4273482774C7C9D74B7742880010F8D41AA72A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029091Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:52.102{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D838E19678759B6AB8E9F51914B80D,SHA256=ABDD429E25085FF6D96D3F23B19A634D9F11F60D171711BE6E20D6D9B4B4C7E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029093Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:51.984{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029092Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:53.102{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A9EDA2998816608E2A77A5ABBB855F,SHA256=60AD9BCD44EF13DB9E58E569B0ADBF103C95B04D1B1AECF69D1580605F04E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048205Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:53.148{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16585753E5EA899251EFEE2313C53F4D,SHA256=853897026D2869B9D2B7D48D7495E86C2475B5E4EF8F0CF19FA52C6E751EAA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048206Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:54.164{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07BD2908D0DE384C6A88FD59361F9CB,SHA256=CF57E10514D1FF690B842068DDEBE5C8C07D26F727DC3D56B90F278F51B7D62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029094Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:54.117{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E11F2E47ADD041A103E9BFCE677322A,SHA256=C968CE21ABFF7AC5A52A5CBB1C94D049BF6093B647FC90F2A174E77A16FA3EAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048208Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:53.725{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57422-false10.0.1.12-8000- 23542300x800000000000000048207Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:55.179{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46317D7D29B43DD08F7C8D66B09A3328,SHA256=212BB22C2BF0CCBFEAF673A3D2710522BB3932640C6FD410F4C2CB2B9E3FB705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029095Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:55.134{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B3E52E750C04F88C1D53ECE17D5419,SHA256=3BE47BE9F9CE129D45A9811EF0A7F5F458829277FF45087C86EA5BE23C47B9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048210Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:56.418{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-119MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048209Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:56.198{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E22DC0EF9DE0E77400F15EF7C359C4A,SHA256=DA3F0686A51EF13E3B1123BEC1E96480EB1EDD48B2CF31922DBD17912D08267B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029096Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:56.134{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E26F39D023A53CD018DA20CF01ED15,SHA256=72CBE63CA632D34B2C6E990CEE372BEA243CCDDEEF1D0F0FE58110DCD6D7A95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048221Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.984{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=99F64C5A141AC56396FCC57586AA5E80,SHA256=1BEAD5A1178C075514B4794B7B3792EFB05CCA6CE85A1842AD1FA777C5A6C74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048220Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.984{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B8A6A94D2AFDD07B1573C331A2CC2358,SHA256=F4361CE4D9C28B9B97C0DC23BF628C6950ABA6C3CB61B9321281EC6ADAF4C32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048219Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.984{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=02568C71A19A4CD2774982AAC8652407,SHA256=F6C1052E0C3C879A0ECE2DAD0401F5429F02F160C9CBC3750A02AEED69596C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048218Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.984{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=43A7ABFC2B7AEFA3A9B734BABB5FAD23,SHA256=048EF5A18DD16E9DBA032D6E1D809C467528E8F86371B4ED812915784FD47FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048217Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.984{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B64CA323916E3401643E65FA1AED65F0,SHA256=AABC6D70BC8DE666F5D1B033206888C6805AE0D60D4D2663F9F8BDB59B2BE3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048216Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.984{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=BC4CBDF8D440C7EBDBE1B2D586D52EA5,SHA256=B3D31AB11F2466C68C0CBEAFB93D098649CF5CC4BB8E20FDDBF6C3E8483C069F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048215Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.984{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=FA9873F73AFCD7760A7E7A51772A102B,SHA256=171F8DA44E74F924A1D0043D812C34E58CB52A4F9D0F20B35AFFDBFEFA60F55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048214Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.984{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=E84C16B6B5FD33CAC0700AD1833FB2F6,SHA256=6DF442021DA28D321A206B1AD7ED8D5CD9F31FADC68E596977CB33557A3C9A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048213Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.984{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B2D4BC2AA6786A5524EF4F750304EE79,SHA256=EA42F23F9E3316504ECDE9AC40A5A91B1D2FBA933BBFB216D3BAC3605BCC9D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048212Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.432{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048211Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:57.216{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2BA21DBA5AA19F300F5B0C908ED761,SHA256=16A5841E7A7BF4E70561284B471AE957F392639CED6769CF5E8E23250557EF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029097Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:57.134{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51EB1CB55328FA7D3B7E954D0E10574,SHA256=07C6FD65B22D8C53382852C7FE30C7AE6265D28751DC3DB529A3597C5E8717D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048222Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:58.232{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D46943A96FC94BFAB68D4B663DAC20,SHA256=D8F7CE983B4DF26F7834C21EAB05A09385DAEE8BB17BC7E8285036AAF6AE5A04,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029099Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:57.017{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029098Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:58.134{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5DBDF15A27530418335BD86654DE044,SHA256=838A7A629CCFFDEE4EA1B9D3CB61E863992CADD0E9DD313B9678F3F071E1A301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029100Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:00:59.150{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D131B9AAE230680A9FB7CA483F6BEEEC,SHA256=A0AB7FB978FE9CFC6257E00B2B401A0FCCC063ED665FB55802975F92BC8E03B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048223Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:59.262{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47735E139874543C588A558F654A946A,SHA256=8456EAAB03BC9AC274C88E12F8F130E324FDC81BA991453FB9E298145DBD9110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029101Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:00.162{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E591BD2539B508BA54829311C8230CC,SHA256=5F4E633F29A66EE1DCA4F90A8270C19C4C438E41B0A48A93078F556DF71E0776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048224Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:00.277{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14CE2FB83995924D96BE96E6F3158E7,SHA256=8F0D11C41EF74CC181D0ABB467A0BB45F6EBE86932137BC10202DBBC43396446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029102Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:01.178{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC4092063D48D6690677843468F4E1E,SHA256=6668FCB45678194F3CB7B6939146B6C98E82C76F83F0EDCF2D1C1952BF633CE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048226Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:00:59.770{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57423-false10.0.1.12-8000- 23542300x800000000000000048225Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:01.295{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B298688C0C86828C6B489479936D3C38,SHA256=635219AA8306EF1AAB54A825A5DE90865A560EE4B5242928DE3618C1BE414E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048227Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:02.314{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D8B72FB77417A3ED67523C54CAADC3,SHA256=FDF38946D40D33BF7460A1066A33E564F456C7D42D11CB051659E2EFEBB11A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029103Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:02.178{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9CD0BD2C7331B2F37822350FEF2C01,SHA256=9618408738CDF27761FFB59C4850B742A4A5CB9B954A370D740B5D853495419E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029104Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:03.193{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39DC17402E5AAAA6BF02B1D223AF124,SHA256=1E43C68DC72CA6000ACF17FFC12B3FCABB06B05C5500E20E9540711B5457A6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048228Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:03.329{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BE47FDEB2FD9F1A31A35827959EB53,SHA256=7A4F193077E061E09B74F4A63210A587C68C93AAA2E0280B02434F01BD0B5254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029119Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F20-6136-DD06-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029118Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029117Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029116Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029115Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029114Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029113Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029112Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029111Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029110Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029109Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1F20-6136-DD06-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029108Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F20-6136-DD06-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029107Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.709{FFF7FB96-1F20-6136-DD06-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029106Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:04.193{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8435D5F7D957EC9DBA6FFBCF6FF4CB,SHA256=FA87ECFDAE7D6985986F7766A8B7885FD816718BFDA5F106696ACC56C675CD8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048238Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:04.544{323FE7D8-1F20-6136-6A09-00000000F001}51326016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048237Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:04.360{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F20-6136-6A09-00000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048236Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:04.360{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048235Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:04.360{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048234Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:04.360{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048233Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:04.360{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048232Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:04.360{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1F20-6136-6A09-00000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048231Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:04.360{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F20-6136-6A09-00000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048230Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:04.361{323FE7D8-1F20-6136-6A09-00000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048229Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:04.345{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36A7A997E795C7531F9685D2DA2B206,SHA256=3DB98ADEC6512BC5B800C7D0061F9FC939C45AA8B0D242D62FABB79CE73523EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029105Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:02.060{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000048257Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.713{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F21-6136-6C09-00000000F001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048256Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.713{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048255Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.713{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048254Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.713{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048253Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.713{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048252Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.713{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1F21-6136-6C09-00000000F001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048251Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.713{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F21-6136-6C09-00000000F001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048250Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.714{323FE7D8-1F21-6136-6C09-00000000F001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048249Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.401{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5F70ECE69C92830A01AFCDA3A00A91,SHA256=28BF781FCB1DA9E14836BDF17A5999EDB8582AB71837B1C7F994AA34B6927D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048248Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.400{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7347664FD8A9F7A6A40A3DBD4C8FCCF,SHA256=3B47778153F8D0818F54D3607173415E6579AA23FDC10A42DC5D41A400AC8E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048247Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.380{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A919BFA6C76CB1761DCA8FA137F5E218,SHA256=346B4FE28B5A8CC7A7576BFD056EB4A00FC1EDAB63B3E5D7043CA81EA6C42A08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029149Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F21-6136-DF06-00000000F101}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029148Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029147Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029146Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029145Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029144Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029143Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029142Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029141Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029140Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029139Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1F21-6136-DF06-00000000F101}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029138Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.896{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F21-6136-DF06-00000000F101}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029137Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.897{FFF7FB96-1F21-6136-DF06-00000000F101}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029136Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.756{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E8A0DB84375C962A285383EEDC497B,SHA256=4127060C2944F1B2B2A134FDDE26B257674440C0AEA3E53E18D26FFD33ACAF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029135Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.756{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79153784F1C716BB557B4F84550A3CF4,SHA256=05D2565784CFB216F949AB6A62A9302EDBBB8299BF75A643DFFFD37D972AC852,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029134Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.506{FFF7FB96-1F21-6136-DE06-00000000F101}10683884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029133Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F21-6136-DE06-00000000F101}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029132Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029131Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029130Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029129Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029128Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029127Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029126Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029125Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029124Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029123Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1F21-6136-DE06-00000000F101}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029122Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F21-6136-DE06-00000000F101}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029121Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.381{FFF7FB96-1F21-6136-DE06-00000000F101}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029120Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.209{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60956B46EF0D134375F0FF7E9CC149A5,SHA256=09ADA32BB33843D4B02DA918062D6441465562FDA315211DD2B43D2BA52C8E5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048246Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.044{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F21-6136-6B09-00000000F001}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048245Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.044{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048244Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.044{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048243Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.044{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048242Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.044{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048241Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.044{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1F21-6136-6B09-00000000F001}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048240Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.044{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F21-6136-6B09-00000000F001}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048239Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.045{323FE7D8-1F21-6136-6B09-00000000F001}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048259Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:06.730{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7347664FD8A9F7A6A40A3DBD4C8FCCF,SHA256=3B47778153F8D0818F54D3607173415E6579AA23FDC10A42DC5D41A400AC8E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048258Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:06.399{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78214AD66A64AD566ED9DF19207662E0,SHA256=D0E0B8E29A804076795688757FDC6A741CAF6685856ED96C3981BABC50AE9347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029152Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:06.912{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E8A0DB84375C962A285383EEDC497B,SHA256=4127060C2944F1B2B2A134FDDE26B257674440C0AEA3E53E18D26FFD33ACAF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029151Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:06.256{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8077770040BE57B207F35E254DE298E,SHA256=A34675042F46AEB227F3FF08D1558963FDEA7C0D2DB5B8F6D7DB278C2DCD0729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029150Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:06.146{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048270Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.391{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57424-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000048269Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.391{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57424-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000048268Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:07.829{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F23-6136-6D09-00000000F001}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048267Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:07.829{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048266Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:07.829{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048265Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:07.829{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048264Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:07.829{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048263Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:07.829{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1F23-6136-6D09-00000000F001}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048262Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:07.829{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F23-6136-6D09-00000000F001}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048261Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:07.830{323FE7D8-1F23-6136-6D09-00000000F001}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048260Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:07.414{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F9CA00AE3904F8A0C7A6D40D1950E6,SHA256=FBA08BCC660CDB44BBDA4446D9B4718306D731463F81EF321A919692FAF301A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029180Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F23-6136-E106-00000000F101}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029179Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029178Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029177Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029176Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029175Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029174Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029173Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029172Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029171Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029170Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1F23-6136-E106-00000000F101}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029169Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.834{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F23-6136-E106-00000000F101}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029168Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.835{FFF7FB96-1F23-6136-E106-00000000F101}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029167Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.599{FFF7FB96-1F23-6136-E006-00000000F101}32363872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029166Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F23-6136-E006-00000000F101}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029165Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029164Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029163Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029162Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029161Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029160Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029159Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029158Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029157Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029156Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F23-6136-E006-00000000F101}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029155Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F23-6136-E006-00000000F101}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029154Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.334{FFF7FB96-1F23-6136-E006-00000000F101}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029153Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:07.271{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468418A8A550D61B5D76E15F1709F5CC,SHA256=A8056199508F755F19D2852957BC07F3FE7A3E6C26F7DFEFE2917D8B95DAE89C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029198Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.631{FFF7FB96-1F24-6136-E206-00000000F101}3724340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029197Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.537{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148FD4370396D3EBEB84B8BF986751B4,SHA256=63DA0ABD7FAB1C3F4E7234884373784D841CE7DC1CC586E73E62714BB16B399C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029196Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.537{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3457B6AEE9AAB8BBFC2CF59F4B74071,SHA256=442C30DE6DD9D6F7A65039917FDAA4A1DBE31D2BCF72FFC605072ED06F670C21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029195Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F24-6136-E206-00000000F101}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029194Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029193Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029192Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029191Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029190Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029189Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029188Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029187Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029186Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029185Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1F24-6136-E206-00000000F101}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029184Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F24-6136-E206-00000000F101}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029183Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.506{FFF7FB96-1F24-6136-E206-00000000F101}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048283Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:05.792{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57425-false10.0.1.12-8000- 10341000x800000000000000048282Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.895{323FE7D8-1F24-6136-6E09-00000000F001}45326424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048281Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.848{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD41784360D1F8549B91A58CDF763E06,SHA256=951F9E3AE3DDA8C94CF0E341AA6A64229419369A4F7A680978E82E1EF492180C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048280Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.710{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F24-6136-6E09-00000000F001}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048279Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.710{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048278Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.710{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048277Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.710{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048276Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.710{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048275Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.710{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1F24-6136-6E09-00000000F001}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048274Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.710{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F24-6136-6E09-00000000F001}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048273Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.711{323FE7D8-1F24-6136-6E09-00000000F001}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048272Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.426{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF475F78AA80206F27D964C2D9108F2E,SHA256=ADA7BFA42A3F9D6E096CE2F73BC05AC3FF4DCFBCB4E1D6BF6B35361C58EFB606,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048271Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:08.221{323FE7D8-1F23-6136-6D09-00000000F001}62646708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000029182Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:05.982{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000029181Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.006{FFF7FB96-1F23-6136-E106-00000000F101}34524040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029213Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.678{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0EBCCC73ECADE213DFE6ED0A1376FF,SHA256=16FFFF102185DB0449E4BD04A663EF283FBCD099409F229E3D7525D54D4DC6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029212Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.678{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C65992739F1C3E865CCCD6B1AD5C41AC,SHA256=00E88A3AA384AE5388516F0C4B609DBC0502E40CF208FA4366BB8558A0956D29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048301Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.881{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F25-6136-7009-00000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048300Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.881{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048299Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.881{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048298Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.881{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048297Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.881{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048296Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.881{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1F25-6136-7009-00000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048295Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.881{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F25-6136-7009-00000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048294Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.882{323FE7D8-1F25-6136-7009-00000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048293Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.682{323FE7D8-1F25-6136-6F09-00000000F001}55323996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048292Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.448{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC40E746B8EE6C95194F5B1CBA4CCB33,SHA256=7AB2494A4D97C72034067AE1C80653D4A008262CC03BEAE177BCC5C9B5FFD6F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029211Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F25-6136-E306-00000000F101}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029210Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029209Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029208Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029207Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029206Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029205Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029204Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029203Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029202Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029201Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F25-6136-E306-00000000F101}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029200Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F25-6136-E306-00000000F101}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029199Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:09.178{FFF7FB96-1F25-6136-E306-00000000F101}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048291Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.395{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F25-6136-6F09-00000000F001}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048290Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.395{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048289Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.395{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048288Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.395{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048287Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.395{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048286Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.395{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1F25-6136-6F09-00000000F001}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048285Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.395{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F25-6136-6F09-00000000F001}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048284Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:09.395{323FE7D8-1F25-6136-6F09-00000000F001}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029215Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:10.709{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D68CD63CABEA0A0606F4345BFF2BFB3,SHA256=F34B71D5B2AD5793B3C36FB85435BAC97BFF1B324F3812A87F8BD4EA371B1BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048303Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:10.482{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B5CA60E9BA9392B32696CAF6FD5855,SHA256=07B7C93555C19C551239730F1C0AAD96CFDC06B8FF957A0D5D46E78CE0E13FB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029214Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:08.045{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048302Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:10.414{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB8B1C4540AAF6E3B97DFAF6116F4680,SHA256=282A62176A3D51B73ABA096FFDB92AC2E2D5EEBF71900CA2993804BF0CA6AF60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029216Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:11.724{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851AC84139F9ECF2FC8263FDDA31036F,SHA256=95EBA1B3AB581C7A8FDFE71BC37238A9E0827AFEBD29E838E7DE5AB7EF1A9915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048304Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:11.497{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF4B82C9035A7F69AB5F337761DBC71,SHA256=1EE4123B0C3087F78B44034FD67A62DF221BE994BBEF27BE424E7329AB42A165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029217Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:12.740{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207DF7B00C8D96DD7C15C6502DFA38A9,SHA256=530CADF74230B9303BAD8313AC6C3DAC6547AB4C9EFDA27D025EC6644E029C9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048306Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:10.859{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57426-false10.0.1.12-8000- 23542300x800000000000000048305Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:12.513{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C32B903AF922DD2EE93B4EAABD087B,SHA256=8D09DAD40127252792D7993BCA8FB18C45A4A6A7B066C2C2BE8E9E09BC7F9EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029218Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:13.740{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC27792045BA9F27DBA1E4771D4BA45,SHA256=94AF9496FFECF2254E61F027F6EA6B206B61986C01A75E8EC912D8A938ED9561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048307Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:13.513{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9FD2D2A8904E707725FD73E5DFEA58,SHA256=5A554F147D3645CC60DA97569F65F940DA7BB8C05CCE2E1A1D37C4061728A67B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029220Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:01:14.787{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a327-0xa7f8dace) 23542300x800000000000000029219Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:14.740{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96B10D868144ACE223AC55D41E6ABAB,SHA256=A65AF51A518B0E9BEAB858EFCE577D85C62042DAAA1368D4B6C34455F028989E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048308Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:14.547{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBD038FB912837D658BEFA8F4232B6B,SHA256=CF37B7C4AE6F4ADD756FC4C67F268E12FC2F5B0BE5EA1F35B048D8CA97784ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029222Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:15.756{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25495ECB21599313BC9FA4AD0F6CECB,SHA256=39558ADEEE916D6720D3043831143C5843CDBFFF943A49762F7D9C851E62B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048309Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:15.581{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8A4086DB2FEC09BFBD94F5A7BB375D,SHA256=5F8F990B8BC9C95546AD3D3E45CA23350D7D9204B58D7052FACDC550FBBD2958,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029221Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:13.920{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029225Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:16.756{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894E13456289D9AFFFC49D50DCB4A934,SHA256=3E22E3C57925CD8912BFDB23BA5F9CDE5C816B9EC33C8A4B1BA3B239D377FAA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048311Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:14.395{323FE7D8-022E-6136-1100-00000000F001}492C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-456.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x800000000000000048310Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:16.611{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7292DC289765DF155DBA83F3FB380BD,SHA256=B2142261ACD8E5D269033766BBF71FF4B627D338B2561760B463ADEE6B78BDB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029224Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:14.622{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-353.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x800000000000000029223Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:14.622{FFF7FB96-041E-6136-1100-00000000F101}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-353.attackrange.local123ntpfalse10.0.1.14-123ntp 23542300x800000000000000048312Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:17.645{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DE1F14DF90A62993F7E71DB4641037,SHA256=E7A54591C2DD7BC948DB137450BA39262782D5FCDD2F43FC71ABEC4FF5D2A60C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029226Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:17.771{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9E782BF7C684319182934986614A82,SHA256=02AAD5558F16B8259BA641B8EEAB8D520151EBA88D8417F115F4EE2B1C02666B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048324Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.679{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4F730AD53C332730978F84079AAE62,SHA256=73A2214A5853702DB74553B48AD87799170F7EE00573A29772C8E864534BE3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029228Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:18.787{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B1BC43127EBA1D2F3D8850BEF1F8E9,SHA256=AD8C62D698530965E301880053EE3DC6F6C06B3026A537422A10EACB6F600F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048323Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.579{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AB3022227FCCAA4CB70D9FD8DE89053,SHA256=FB15337BC9E61DC853DDAC1F611744071343D19863747596812A813864FC0698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048322Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.579{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A5E92EC5BB505574D0362C213A6EF34,SHA256=9C47BC73B1C9D0A7984F197FF9DB5CA32D7E978D55630D19F7E84BF56FDD6A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048321Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=102411E7103E38DD9EAD9904FD28C550,SHA256=7DD8BDAA3BD2B842F7C11423F97BDD4A2162CE772F401E04BD6E5357F62EA4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048320Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=A457C88B869F4BE449F558A6244B3F88,SHA256=296BEEF4F033F7F466B773A9EFB6A86A7B6FB5D7CBDDC13F50DBEFE7DC871460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048319Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D959DABDAE6A9D9FF058D4F60F948F1E,SHA256=7947E06309949BA6175E4D24865680FDFEDF6ED3D03B22737479DEAFD99C4FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048318Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D87471AB02DA09BD155A04731DC7E202,SHA256=38F7AB83C85DAC75ED73E3C36AC7E5E621D1CA16D479FB78EA72AC4F8CC42826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048317Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=AD70FEE66A286B7310D89E3799E94A17,SHA256=DD01FD1BE4EA68492E7CCC4DC024D0B918683B5FF367B440901A2D6B2F8F99AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048316Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=340B828EF938446D9311D1ECF4072B98,SHA256=6F6C0CBC438F4767F5271526F5DC04D4FA25BACE81ACE42DF7EF6F983A61C2B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048315Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=5EDA6025A4981E9EC9D5C06D62B790B8,SHA256=4D854951E09A6C90AD37DBEBB7F40AC3F6CEF057FD9DD7A8AE82ADEF290F13A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048314Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=68D5429F074E6448DFA219113DE2717C,SHA256=6F0B1FFF0E5026C4201B8C35E71610B1CE2063ABCA1E266ECA11AD4F6F7B6901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048313Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:18.064{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=98083667EFB0258B17E1B80A8D7E4F40,SHA256=208ED3B5D94C5B9CE701EA6DE16866342123183B1D319592275BC30F5A582B4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029227Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:16.606{FFF7FB96-041E-6136-1000-00000000F101}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse1.14.199.113-60766-false10.0.1.15win-host-353.attackrange.local3389ms-wbt-server 23542300x800000000000000029229Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:19.801{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D30BC46B09DC4FCB5DDF0D1F13DD8C,SHA256=6300089F633667FAE13F0B56DBE0BDE01D58281ED2E815B422B5D7347D9D1E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048326Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:19.709{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BEA33815C65B9390121243D8723A75,SHA256=9C5458035E8DFBAD24A9F4F54AB4F45FA54806C09CD5C30B1ED9A7C687AF97AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048325Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:16.720{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57427-false10.0.1.12-8000- 23542300x800000000000000048328Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:20.809{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A98BA147E1EE8ECBD4321D3154D647,SHA256=18128C156C5344BCF5D5D4E5ECA8CE0A7B748756D3CD46CDC4D3470F6892E6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029230Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:20.801{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207B9D09294583F327D2D6AB906DC1B1,SHA256=F33105FB8DC635FE1EA7A8155045C10CDC56520A9E54CE6DE382AB04068D95E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048327Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:17.927{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57521- 23542300x800000000000000048329Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:21.824{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4DBE416BAF4920E9209300047BB8DE,SHA256=7CEF3E9403123A9B0F9EFB00D6EFCF5CC8B22AE383F1A9B234806DAA3340931C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029232Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:21.801{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B22F3BB9C6C43F7AAD1A01F83693025,SHA256=A6254C2BA13D674C8D5116909BEBA286F1993C035AC4F1D14730D61D9766CF32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029231Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:19.887{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048330Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:22.842{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70715CC40C93A1208D200B8279F4D148,SHA256=D5FC736CE01E2408C09A7F55A86D35BA30F5C29F25CD9E805594811FF4983A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029233Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:22.801{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B135258081815598B7C2D27A429D95,SHA256=367213FA99BAC157FAF5EF30D35F61285F5512AF6D93CDF814309945582215D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048331Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:23.851{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FC35F569D168277539175E4A6405E4,SHA256=7558A249B0FAAA7E69245D9DAE2DA1F48C5DF2B98EDEC437B2074E60989E3864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029234Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:23.832{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E2E5092B34BA872D82CC154498C955,SHA256=FB52EEEB6E340FF45CF5B3ED909A9EC718BEE58970E14C25A7A6F1B09FA53E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029235Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:24.879{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA820358C34EADA3615D60C71B92E68F,SHA256=91F8C2F9D17BB8C3C579A1F082A79F29EA8644AA0E6346B5E4971D82AA0AA2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048332Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:24.888{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389FD7FC1A7DF28E94E3528179D19E54,SHA256=04FED2CA821C3E38586575806CBA75932233BC171329E83E26CE232F899DE168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029236Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:25.879{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F469A8884F0683F9EC69ED85D28C71,SHA256=3436E34AD3AE794FB995124A28339C0A22251CFE8CCC914E59CE019C74F0CEA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048333Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:25.891{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4DA57BE5611B8EAF59350C41D840E2,SHA256=989A5C4E22AA49A0CCB3E5614E5E465BC620F83590F5E92030BD9AFB7EFAFFA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029238Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:26.879{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D54FCA7C2D1225A9134ED60C398FE7,SHA256=8ABBAE00872C09421F5F7CA404CCF5D36AFFFCB5870836BF89CC61763115E9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048335Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:26.892{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C725C27C03476A2A5AF34578777DD76,SHA256=56C5A28DE9E55E097B387447908C495F4FB97A917E85E310EC7AF4C2384BB629,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029237Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:24.996{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000048334Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:22.727{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57428-false10.0.1.12-8000- 23542300x800000000000000029239Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:27.879{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C8E281AB90CEC5431F5959F65E4AC6,SHA256=C6DF82656CF066CB48A01BB690C5ECE07892F07EFA05D31E1FB2DB8CBEDBB4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048336Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:27.907{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF11CC9E12F910B5D7D106C4B0D2E2CD,SHA256=13FD2738323F581683505721FD243410676CF76CA793AA0E990370941B1D48DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029240Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:28.910{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8E61E619B9838019954B3138ADF7B2,SHA256=ED628BB0411D30793E9D76048F6BE44EE7FFEEC9614FFFC2C54D7B36A5DAC7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048337Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:28.937{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAA9FDCFD3E80A5AAE71C85F726A88E,SHA256=8FCCC18AF5751A9454D89491BF68CAE3B5DDB473356B60C0A6C9EA1104BA31DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048338Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:29.955{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23245E891B0322C95364AE9F8DCF6ABC,SHA256=35E1482F94981AD4227FC3A5FDAC51E3C6EF96B097D90C2B984EA1C2FFBEE0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029241Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:29.957{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4555DDA2BA7C38575357CB3C26DDF75,SHA256=9970209CDB3354C0B489E7CB8A6896B95654552B1B339AB20BFEFFA2D1553DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029242Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:30.957{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA2AF8CA7187D840575189F937CAFAE,SHA256=A6DC9BA138E14573F961821928070750FBF8E83CB54F1CE841A875DFFE827A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048340Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:30.973{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8723ADFC1BF8D2490EA9D6C4A57CC801,SHA256=FB68F0C73C6D95A822EFFC7D0D982C91F3ED7F2DFFAF4D8040E1B15E8BC15E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048339Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:30.720{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029243Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:31.973{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3BC9893EAB03953AF4FF52304FF086,SHA256=2211206420F5E570A817A3513208179D1CAC1887F2991FB2639A37C0A9EFCAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048342Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:31.988{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD7DFE02FFBBE101F7CC27BAA62E321,SHA256=4C1C93CC32EC430FDBEEE4C5B7DD8B917A419841AED3E666080968D5958BC8C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048341Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:28.699{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57429-false10.0.1.12-8000- 23542300x800000000000000029244Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:32.988{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166186A2A4ED534F2541C5728E8FA003,SHA256=EE6A35D90DD857C0DD61C8B340E4486C85D9C17DB76EC21A32E415B52ADABBD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048343Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:30.313{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57430-false10.0.1.12-8089- 354300x800000000000000029245Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:30.949{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048344Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:33.004{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5E0531CB8D1DC35191DAA979A34ACF,SHA256=A5B661FAF1F78FD35CAE7375447EFECA62828F46E3E87A35D15B783B282F8CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048345Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:34.004{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA37E8AEF5F688C5603CEF85EC6A7BA,SHA256=F52694E51912F6785BE846C568206A34C5188BA87B8C70F185CEA61BC764C84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029246Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:34.004{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DF85BC2614AE73DA6F4A30CAE12112,SHA256=6F2B7A49A393CC7B2BC2FEF53304DAA6612EE78C9D85F56148FD3EF2C429D576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048346Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:35.019{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB3E7DA4FCE2BFCBD8D10F55013E8FC,SHA256=9EAED8F39571D1F09C839CAA64D28F0D7141411E3830EB49915355379C63A6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029247Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:35.020{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6A574BC103491141866B3DC529220C,SHA256=5CB329B395A099E130B80A380BCD8600E80F72BC3461B94F312E6E244AE0DB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029248Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:36.020{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6671F60AFE74AE4C8FE78E3A26C684,SHA256=F54D245DB033F9C8799A78D3274D617A2919E91DC485F13F3FC4163DA8632BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048348Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:36.404{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=719C00752CBA2461CBA970B462BCAFE3,SHA256=07AD3A4DA8C94DBD7187F99616A0ED08832E636CE77DF4E06683686932CD5A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048347Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:36.035{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A370824EF2F805CEBD98D116541A26,SHA256=CC580527D3F1AB3FCEEADAED62CD3C4123B07F5E12E3A5381C327F51431F9B30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029250Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:35.980{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029249Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:37.020{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A83C05A7C2D09F4A404CE4D1A11B385,SHA256=6009EE40D3624BD34076F2CE939FE1EF20133759D011A605295957A59F5D92A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048350Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:34.681{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57431-false10.0.1.12-8000- 23542300x800000000000000048349Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:37.055{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7CF1C3091CFF79AB9B95430F7AFBDC,SHA256=AA7CBDD2B4E298642426EC2FC8235477BA5B462F037A4854DFE77C50B1D58968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048351Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:38.072{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0F8668758CDB909AE84807DD590C2C,SHA256=C70FD41F7DEE1F4FC0AC1FC8E13D03AEB45124F0F69ECA0972BCB05A776D5EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029251Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:38.020{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C97DEC08CAB18201994CF715257AE8,SHA256=67C11F2117EE6328B8A11F762421EED3EA0E4D6924BFE388CB54D7C10EC13096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048352Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:39.103{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB5055B3CFA756594F7BAC6AEEF3B1D,SHA256=4F4F733E90F4102F7597D9260873CA79FB0FEB363EC15C7E31D9765C757ACED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029252Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:39.035{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1185FC20082AED8C3A5192F017B4554D,SHA256=CE9DB6DCD90FFE1324B5B6F58478BBED1CF0C8651BF7DB20084632D90A44E6B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048354Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:40.235{323FE7D8-022E-6136-0D00-00000000F001}9045860C:\Windows\system32\svchost.exe{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048353Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:40.103{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E14A66EAB52FBAD5A245ADAE2AA34F,SHA256=185B17E4E312F3EAE0A4C92733AA439BA9D6AADF39C96F00FD9BDB38383D82CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029253Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:40.040{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD7EC455B3D5C62C169C4D79AC736F5,SHA256=4B6A6D625F1C3EE42824750C80F92EB27DB41C4600FBDF3698B2A56FFE09C06B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029254Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:41.040{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED40C571EE51321DF80D022E11F69A5,SHA256=AA1484A7C80734F11914F90F0521DE8FC98BF2FB582524142C903E5E2D684CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048355Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:41.134{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18AE04FCEAD7FC699DED0C09C9FD39C,SHA256=C760D72912D2F4409E6785847F2CBA3C785085ADC04FFD443E40C8BC6D7A8924,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048357Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:39.843{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57432-false10.0.1.12-8000- 23542300x800000000000000048356Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:42.134{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF38FF769C2B0602C0BA86BE534DD69B,SHA256=03EAC5648B42883FF1D893FB798CDDF931015B5AEFAA51BF3CF041374D9EA176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029255Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:42.055{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711DD224C4791905EA7D30FFE2B426A9,SHA256=2B9F6376DFD3DE9AA570C0CA9E02842A8CFEBF7AFA5A42E9A9D187812EC38877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048367Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:43.190{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D9D7750A75D92A819ED2887DF91C1D96,SHA256=93C5D4DD8B3B4F77E9D52376BE5B94D1275B7CA0C9D009D12FA0BABD58E7F370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048366Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:43.190{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=31ED364A8799E87DB9016F70F52DE16A,SHA256=F4839402B37D69CD3D7FFEF658FD4981EAC527767C467019F25FB7A53FAC0116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048365Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:43.190{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=1EE039F36F402875171072C50C857AD7,SHA256=89428B872879ACEAA545FDA3EF34C847C6BDAE89D993E7C3432C9CB5A30514CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048364Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:43.190{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=97716317ADD42F6C53B24377D7C87F6E,SHA256=4CE695FBAA9348A7263342B3E7577E3F7B60CC98172AB7E9A8D1159C8D56B1F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048363Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:43.190{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=98603548A99744EF65566C08BD9359A0,SHA256=D28857BCC459617558128FAB7E518C27F7B779A6BD047E4A09CE5A64D70E14DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048362Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:43.190{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=026B53957AE8EC69DBA007103590D324,SHA256=6815D543CF4CCB30570A8D140DE72A383B682C39ADE0EFA7E01E7449F28EF486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048361Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:43.190{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=9EFF358FA521D8AC1188618CB3F52422,SHA256=4B3D41848762AB27FEA5DD12A87E0ABC565FF541F10F926E51096F0C0AF8F69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048360Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:43.190{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D6B4CB936D2943B62681464A59E7D9E1,SHA256=A8C998BE1B74928BE3695BB4C02F995D3D8FA423ACB4C707021FBD96DC30AD19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048359Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:43.174{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D495F3C0D3B9749DD44C3E02AC670331,SHA256=96245EC8DF050A12DC5C398B6589EA4C22AF8B85FEE2C578233C69AF6C36B041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048358Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:43.153{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8D54943661240AF91BCB351DD47343,SHA256=0B6FF2D241076B00D2AECA442095C0EF6E106AFD2A39CE6F3CF5A990FA170317,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029257Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:41.923{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029256Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:43.055{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82CE6D499582E023932E9C9F1DD3AFA,SHA256=429CF087ED4589675ECA9668EF70EB0344DEC6F7BBE33487C9530A23B2CF457E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048368Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:44.173{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A38EF38E98C2F75896439AAE1B1ABD,SHA256=9D752232EB72FF0FE18FE68B011540C32B8706029B96B1B2C77A97F77E2C9A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029258Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:44.071{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FC489775A7D8998665422254FE6727,SHA256=EA33B662982D5CA0A45947ECA6619C9BD36C9A859C50D79D76E1F13D09CA2724,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048412Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:01:45.772{323FE7D8-022E-6136-1200-00000000F001}768C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\8\ValueBinary Data 13241300x800000000000000048411Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:01:45.772{323FE7D8-022E-6136-1200-00000000F001}768C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\8\ValueSizeDWORD (0x00000008) 13241300x800000000000000048410Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:01:45.772{323FE7D8-022E-6136-1200-00000000F001}768C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\8\KeySizeDWORD (0x00000000) 13241300x800000000000000048409Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:01:45.772{323FE7D8-022E-6136-1200-00000000F001}768C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\8\TimestampQWORD (0x01d7a327-0xba70c9ad) 13241300x800000000000000048408Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:01:45.772{323FE7D8-022E-6136-1200-00000000F001}768C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\8\NetworksBinary Data 13241300x800000000000000048407Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:01:45.772{323FE7D8-022E-6136-1200-00000000F001}768C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\8\NumNetworksDWORD (0x00000001) 10341000x800000000000000048406Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048405Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048404Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048403Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048402Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048401Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048400Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048399Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048398Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048397Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048396Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048395Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048394Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048393Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048392Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048391Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048390Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048389Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048388Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048387Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048386Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048385Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048384Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048383Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048382Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048381Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048380Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048379Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048378Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048377Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048376Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048375Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048374Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048373Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048372Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048371Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048370Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.419{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048369Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.188{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A43EC3F5CBDB7AF98F94F381427D17,SHA256=9DD1BE03CEB3D40BEF5ECF4309DCB84A7C6FCB44E975636C6F051EE83A00275E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029259Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:45.071{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17E02D5FD6486BDCB85F65ABEDC7ED8,SHA256=F1641E89A4BA6B84883F695F58941E0340BBEC8F88EE5D243A2C09875A61A98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048413Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:46.634{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0044D4C6FE2C9B4A1049E0F0C9B8F866,SHA256=11AD68EC6118CE954689F2613642DD20F9842145F32AC9532637ECBF622DAF24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029261Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:46.151{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-112MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029260Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:46.087{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837D81A1813334087FFD60056292D7BA,SHA256=1656171E9922EAE0CD678632C712495C4E04030203626E8377D794BF5277A221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048415Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:47.702{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBE80C781713470EB1C288A8428FBED,SHA256=DCE26A1AABC87614354CF2E86C78D4CE190633D716B195648F489734F02FC39B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048414Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:45.696{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57433-false10.0.1.12-8000- 23542300x800000000000000029263Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:47.166{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029262Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:47.102{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8A3D56A3A08D50AD2DB16E7CB17C47,SHA256=1B997398D221A7FE6508181B8DF0911F8A363ABBCE60BA37FC03189F0059CFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048416Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:48.718{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF96036613871962A64347D384C0B52B,SHA256=B048585BF2F861D2D72F64413A519272AD95F8D8A2E5A60EE98A7A4F4D1B1873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029264Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:48.103{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8303709EF1557F66BF949C28AB005E,SHA256=7110F5D9960E5D75F8440FFF46D14BE691B32229F9EE0F2B55575A9DA38FB788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048417Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:49.733{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83308D70694676213F7DB2D5586CBA54,SHA256=12FEE5F0174D19423FCCB4F41542CC721695F966120832C4FE95A22A7AAA4DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029266Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:47.046{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029265Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:49.103{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67721E727EDA686ADBF75232DB9C67F,SHA256=8D1FB0632FE285D57559864C5E574F207BF99D1DFC1E07B7337C0B5885D50434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048418Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:50.752{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D90F647F96173E4F29B377E2FB00BA,SHA256=3DFDC16D04C37308294EBDFCA7F4917CED855FED177AFC1C0F9CE62320AF9CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029267Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:50.119{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA4ECA3B7993919D41E5BA1DC192C49,SHA256=A3B94EB89A7B35C06120C4707989A3DD2E2D2FF0A4897F708EC28D90E723E8A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048419Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:51.769{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70995531D2BA99D6A8702C537FDFD712,SHA256=4829801C854F3F232A60862FB9C69FBE3582C47891B30B819FEA516DB0B648AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029269Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:51.728{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=851BDBD07E64D2DD98C18887F5C7971D,SHA256=BB1613F98F1CBBD61142C566CB7D77E41ECE0450D9FC83369124AA1410E42CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029268Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:51.119{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857EDB4206BD86825D0ACEBE836F79A6,SHA256=80011F07D10AA97862F237829F5B045041D86E541E94ED6309C43D6E050FF477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048420Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:52.785{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF294C94325991CB20D05397C27823B,SHA256=0A98BFE2D80DA833D8AF1C2271761339FFA97CBAF79959BA600B75D18C5CCB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029270Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:52.134{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F566B94978F2287A5018C444FC23E3BF,SHA256=DF38B8E6DB96BFDF302628CA06002E1869BC7C7E72DD91B59144A4A5CF93D590,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048422Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:51.740{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57434-false10.0.1.12-8000- 23542300x800000000000000048421Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:53.800{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D053B74D2AA0C90AAB8EA395837FA8D,SHA256=375BE1CB52062CB397C8B28D6F2BD7264F038698A9CE903CA9E498A906461D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029271Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:53.134{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8845A31B9C9697E2E2C50E5935078D8D,SHA256=E239B6FC55C585E5037FD59CAC197DA123464F696FD9DCBABE3D7673F7E689A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048423Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:54.816{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCA18573708926337D4FC5D1BE09D5C,SHA256=A4845615240F796001A46C50E35E49CF51FB2A8FC58A7CFAF7A8A6C1141B25D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029272Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:54.150{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB1C5E0BE22422B6D38B91D9EA356A1,SHA256=ACCCE0E537ECE69AC42890F31043008B345FDFCC8E6A76E06D30892930F9924C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048424Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:55.831{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C29473FEF36B6AAAF9421EDBF109AF6,SHA256=A8F8D7F7E781427B676350C262EAD320C0277B88E79CADFD5A6CF3E77E30552A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029274Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:53.048{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029273Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:55.150{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DE0B7CC353D2F5C27E3BEB255054BD,SHA256=9727650FF24B74D8637194CE68B9C86A80CA0DB5592BA1E9BFB2E5A12AFAF1B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048425Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:56.832{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36960B37CCC373DEBEDFEB99D71CB4D,SHA256=76FB27E7612A0AF6096A1F5DF64E947785DD7702BB16D03E82680954593605BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029275Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:56.150{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AD9EE899F9C50A6BA74C0759BBE1C6,SHA256=0B7DF5B6C24A5AB76C49B2E923B9C2937B9E4810AFEB9A4D65135AA1B53152FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048427Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:57.953{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-120MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048426Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:57.849{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22E5D32664012B85C248BCE6F379478,SHA256=5DE089D3F3D05FD58CFE98771BF4507C71E2405418D4F9FE78575B42C503DFA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029276Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:57.166{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529DE4243D39D798836DE216FA8E57E8,SHA256=78671FCBA96260CA517104B1817DC9207491F189B227711D14A00162655280D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048429Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:58.952{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048428Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:58.899{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4E173F948037E2D44D3AA21FE5A250,SHA256=AD8AE485642FA9B505AD29CA21D1BC54EACBF9FAC47BDF90E7BD29296D2652F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029277Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:58.181{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D718415F7FCFB79A6C712DD11ED487F,SHA256=ACA39F061E2091C361F8627A2E697023AF31A1FDD91766FC92E4D224BFE88860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048430Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:59.915{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF050D5C22DFA7E54C23CFE5318A1B2,SHA256=AB67473115FFD08252D315E6357D78AC1E8BDD9409FFAA6823CB78672DB2D1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029278Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:59.181{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F921E651AEC8F7CF20D45AD3F23340,SHA256=6545AABE3539FAEEAA2BBA374682BB340419A82D0C1D4E6085A9DE5B8086BF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048432Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:00.930{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CFCE8B147A68A014B6BA313B98FEFE,SHA256=AF034C00404C688B595A1F8F5605138B7F129228CCC9DAF69BE71B354A86A558,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029280Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:01:58.080{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029279Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:00.190{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC84321C408DD871200E3BCA7763C7C7,SHA256=1A42C2BDB6F2BCC3914FED7BC80F08063AF6631972D99032BBECAB19791BF13B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048431Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:01:57.740{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57435-false10.0.1.12-8000- 23542300x800000000000000048433Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:01.948{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10741EDC7FFB6A4F6990267EC740639,SHA256=6EF4B63C76D2F1406FFB93C308F6F50D59D7A3CE57B2195E680AD94A4DB9DAA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029281Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:01.190{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AC488ECFA67A241D4E1AA5BCDBC156,SHA256=62EB1D5E5B2367FD029CCE09BD22F367DCA2036A0484B3AD1A5FBE53B78EABE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048434Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:02.966{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15C6AD5FE23C342110654A8C4D3C019,SHA256=9DF79502CD1BD63A175EE6A5D8D1A394D3BD2CBE56935545E869E03A583FE8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029282Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:02.190{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8183E2C02D6ADCF882930E8B64E570,SHA256=1FBCA808A51D0C9C3A78CCFCE9E30BC212369583E579F351DC1DAFFA75C40D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048435Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:03.981{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224E2CF393DE18BAF1427868A6803283,SHA256=8AC1070D6D791B58B3DE6A4134BF80A3FAF9305BCA4713F1C1104C281E7218C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029283Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:03.206{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D195B4A635C791A8361A7D9CF2A55C8,SHA256=C660619B70403B591694D53E7E01608EDB616D08AB44EA558E9493905B83C20C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029298Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.737{FFF7FB96-1F5C-6136-E406-00000000F101}12963668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029297Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F5C-6136-E406-00000000F101}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029296Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029295Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029294Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029293Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029292Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029291Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029290Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029289Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029288Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029287Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1F5C-6136-E406-00000000F101}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029286Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.549{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F5C-6136-E406-00000000F101}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029285Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.550{FFF7FB96-1F5C-6136-E406-00000000F101}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029284Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:04.206{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5329C3364E9166F87FA855492FC2ABD,SHA256=3C93DBDA0654A04532019C3AE1588AE0F4FF4A564B3862C79E643554374D3965,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048443Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:04.365{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F5C-6136-7109-00000000F001}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048442Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:04.365{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048441Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:04.365{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048440Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:04.365{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1F5C-6136-7109-00000000F001}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048439Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:04.365{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048438Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:04.365{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048437Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:04.365{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F5C-6136-7109-00000000F001}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048436Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:04.366{323FE7D8-1F5C-6136-7109-00000000F001}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048454Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.384{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13E8622997EC5820DDFFA0BBC62A08ED,SHA256=1BF0E5CF323AB0A384AEA559B64A5AA928D24D1F462590D591E93596DB88FCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048453Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.368{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AB3022227FCCAA4CB70D9FD8DE89053,SHA256=FB15337BC9E61DC853DDAC1F611744071343D19863747596812A813864FC0698,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048452Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.221{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F5D-6136-7209-00000000F001}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048451Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.221{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048450Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.221{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048449Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.221{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048448Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.221{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048447Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.221{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1F5D-6136-7209-00000000F001}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048446Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.221{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F5D-6136-7209-00000000F001}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048445Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.222{323FE7D8-1F5D-6136-7209-00000000F001}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048444Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.005{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288847D7C4856561E6FBAD6B4A18EAE7,SHA256=99044FEBB63B883AD6917443CB93D21BE42415B3B1A7E90B0D591E454F0F9915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029328Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F5D-6136-E606-00000000F101}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029327Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029326Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029325Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029324Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029323Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029322Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029321Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029320Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029319Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029318Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F5D-6136-E606-00000000F101}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029317Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.893{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F5D-6136-E606-00000000F101}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029316Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.894{FFF7FB96-1F5D-6136-E606-00000000F101}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029315Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.549{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04F9775B5055B55DB2631961861B5B0A,SHA256=B5A07F1A92DFD4D7A87B48F413ED8143D1FCE66BD5195182BDE9BEDF92E447E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029314Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.549{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DAA0A6B2DF386647BAB8B10DD6F8280,SHA256=43161502535D286E56AE3143494E5C7B87F92E3E081DA90AF650AA73A5BD2D24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029313Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:03.104{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029312Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48B37B4C5B8DB16D0789470F33A0B99,SHA256=9CDB2781C9C6C17D1EEB0C3F5597945FD13A2BAC17CF496B4EDC8BD2CDA6410F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029311Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F5D-6136-E506-00000000F101}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029310Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029309Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029308Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029307Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029306Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029305Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029304Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029303Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029302Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029301Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F5D-6136-E506-00000000F101}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029300Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.221{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F5D-6136-E506-00000000F101}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029299Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:05.222{FFF7FB96-1F5D-6136-E506-00000000F101}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029331Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:06.940{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04F9775B5055B55DB2631961861B5B0A,SHA256=B5A07F1A92DFD4D7A87B48F413ED8143D1FCE66BD5195182BDE9BEDF92E447E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029330Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:06.315{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD6F60835D40452891F523FDDF1A9AE,SHA256=961F59B0310258B7BA7C9C21D379E9DC20AEADD0202FB5EF762095032776A983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048465Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.893{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13E8622997EC5820DDFFA0BBC62A08ED,SHA256=1BF0E5CF323AB0A384AEA559B64A5AA928D24D1F462590D591E93596DB88FCA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048464Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.391{323FE7D8-1F5E-6136-7309-00000000F001}44365532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048463Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.113{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F5E-6136-7309-00000000F001}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048462Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.110{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048461Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.110{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048460Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.110{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048459Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.110{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048458Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.109{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1F5E-6136-7309-00000000F001}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048457Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.109{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F5E-6136-7309-00000000F001}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048456Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.108{323FE7D8-1F5E-6136-7309-00000000F001}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048455Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:06.029{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD36B218BB5C8B3EB2CBE060CA980716,SHA256=073631741FE4DC6DF94549B54A1123A6F5A92627259DF1D7CBDC5C7D9D7CDA79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029329Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:06.174{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029361Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.971{FFF7FB96-1F5F-6136-E806-00000000F101}17882440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029360Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F5F-6136-E806-00000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029359Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029358Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029357Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029356Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029355Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029354Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029353Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029352Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029351Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029350Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F5F-6136-E806-00000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029349Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.831{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F5F-6136-E806-00000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029348Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.832{FFF7FB96-1F5F-6136-E806-00000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029347Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.565{FFF7FB96-1F5F-6136-E706-00000000F101}24603348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029346Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3320830875FB66501FEEA968D6572A,SHA256=591231910518985BA424104C90FBA0557FDEA95DFECBCC30493088E078681000,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029345Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F5F-6136-E706-00000000F101}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029344Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029343Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029342Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029341Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029340Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029339Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029338Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029337Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029336Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029335Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1F5F-6136-E706-00000000F101}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029334Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F5F-6136-E706-00000000F101}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029333Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:07.331{FFF7FB96-1F5F-6136-E706-00000000F101}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048475Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:07.831{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F5F-6136-7409-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048474Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:07.831{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048473Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:07.831{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048472Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:07.831{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048471Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:07.831{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1F5F-6136-7409-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048470Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:07.831{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048469Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:07.831{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F5F-6136-7409-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048468Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:07.832{323FE7D8-1F5F-6136-7409-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048467Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:03.721{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57436-false10.0.1.12-8000- 23542300x800000000000000048466Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:07.031{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5190DB640033700C81E01E4754EBA87D,SHA256=19B0EFE0A98BB847269DC0A0F3C6EA09B4D489D4817F5539A75BE898F2908BA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029332Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:06.011{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029376Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.588{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E97D75B5259610CC38074CACDDC7D2,SHA256=F92F385CCA1B61C9BC9B2299C993EE5BA5D7B65B5932670DC5AF7265F84B95D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029375Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F60-6136-E906-00000000F101}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029374Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029373Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029372Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029371Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029370Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029369Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029368Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029367Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029366Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029365Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F60-6136-E906-00000000F101}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029364Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F60-6136-E906-00000000F101}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029363Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.503{FFF7FB96-1F60-6136-E906-00000000F101}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029362Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.331{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20726191103502648B110652DD9CF37E,SHA256=F4EA81F9B6494124E856E3119EE9A96B8C7FEFD3CB1091DE2439A65295A3F6D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048497Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.951{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F60-6136-7609-00000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048496Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.951{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048495Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.951{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048494Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.951{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048493Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.951{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048492Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.951{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1F60-6136-7609-00000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048491Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.951{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F60-6136-7609-00000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048490Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.952{323FE7D8-1F60-6136-7609-00000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048489Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.835{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCCAC1009EACC2FB2FF76927ACCA9B8D,SHA256=F9FDD39D4A6693062FD0D654F95022107D78C0616E94E0E850AAEEB01C8674FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048488Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.775{323FE7D8-1F60-6136-7509-00000000F001}33366332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048487Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.449{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F60-6136-7509-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048486Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.449{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1F60-6136-7509-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048485Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.449{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048484Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.449{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048483Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.449{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048482Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.449{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048481Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.434{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F60-6136-7509-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048480Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.437{323FE7D8-1F60-6136-7509-00000000F001}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048479Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.403{323FE7D8-1F5F-6136-7409-00000000F001}59125620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048478Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.401{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57437-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000048477Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:05.401{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57437-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000048476Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:08.063{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB9352D00CF0F952A37A312DE17B475,SHA256=291C374C30A9C186052CF6A2A1D1FCD16FB5F89318057B8B9A4D524A0F16A8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048508Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.979{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A4DCBFBB99FCAFD491E787CB7D19728,SHA256=4D9F1B60DAADCBD4A85F3DDE01E2B85AEF0CBDADA2E73B33E41142F02FB5B8A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048507Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.547{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F61-6136-7709-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048506Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.547{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048505Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.547{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048504Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.547{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048503Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.547{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048502Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.547{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1F61-6136-7709-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048501Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.547{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F61-6136-7709-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048500Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.548{323FE7D8-1F61-6136-7709-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048499Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.390{323FE7D8-1F60-6136-7609-00000000F001}38283956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048498Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.090{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8D2AE8096FBBBD079A93E35BECCCB0,SHA256=1F76DD13F8F7B6022B8CDBF2DB241D04364675FC2E796F01243D5EC2891698A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029392Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.737{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE88D40577CFFA9DA8113ACFECE34A77,SHA256=C13699E4F2D2517D78A8CF03BE72F08852BE0A9619EB0D4596CB8A52F39ECC41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029391Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.737{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2952F79B89F5992A28466484B44ECA,SHA256=DFFB924C8C0B9EBAA689D1A7CA1EBE385EBFBDC2B3EDB3170A25F40B91BE6B57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029390Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.346{FFF7FB96-1F61-6136-EA06-00000000F101}3684012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029389Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F61-6136-EA06-00000000F101}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029388Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029387Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029386Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029385Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029384Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029383Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029382Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029381Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029380Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029379Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F61-6136-EA06-00000000F101}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029378Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.174{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F61-6136-EA06-00000000F101}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029377Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:09.175{FFF7FB96-1F61-6136-EA06-00000000F101}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048509Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:10.100{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C42E25AE57FAE3EBC9BFC0008AC2CED,SHA256=276E1068549F71F950F2C33F7AE589AFBEA5B0A7F5A8EC30F221456783DA38D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029394Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:08.932{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029393Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:10.362{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C2353A3C3BCF61BDB8C19AED31393E,SHA256=FDF503E2520862C83FFED8FE4A567C749243DA81B7C939EBF67D0B5EFDF45E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029395Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:11.362{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23165B1C10E34A773003D034B95CB023,SHA256=411FEB13E3791D356F86CF89315C4839A9C5CA51AB0241E8845DB5251EB56295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048510Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:11.116{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7390950304DB76B7ED8BD0A0F7E63BD4,SHA256=8815DCB074D93FD4102C5F4E52267095B97806B89094E3B997259DC933557F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029396Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:12.362{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BE8956D6EA3A649D05D174A3093738,SHA256=E4AF6A741A9148524FD4F0A7C6F0F7618EC83E4F6657BCCEABECE635F52FA143,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048512Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:09.757{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57438-false10.0.1.12-8000- 23542300x800000000000000048511Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:12.146{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69898E751FAF817E5DA8F6635AD4D616,SHA256=4E980C07DEEB5AFFEE090944341FB45A396BE95AC43C62B85CF03956E91ECE18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029397Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:13.377{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A455FB745513A1F6F0539F56C06D77,SHA256=200AF946804D4295BBB4362587418CFCFEC60B31FDCC13BA02251336A593F1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048513Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:13.161{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B2E8C30E543C883CF6B61484F8C309,SHA256=17B05B1F42F265C656A1C7D39E739CFC2F9CC49DECF9D44E2E831A35FBEAE57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029398Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:14.377{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E945572944BC2265163FCCD4A81143,SHA256=99FFECC2B4CAC5D67C6FFF70028C686CB811F5909FA5A6389F2DF4A800D040CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048514Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:14.176{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4284A587189121DD66A1A50532B468BB,SHA256=8B66DED0D6D2C2E687BE52B0FA18AF97EBE27863A52F57C3CFC9947491C506E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029399Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:15.377{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C6AF0E61D007F38773C8C3896FD5B4,SHA256=ABBA91A79336E74AF710D37B747F83EB812B634134EDBE7066DD3476667DA865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048515Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:15.213{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCFC297ECA11275FE8E4631C1E49C3B,SHA256=3665BE0A1DF34FC501360ADC2C3927CA6FB645BE98FD67CB832B0E1DC6461CF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029401Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:14.026{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029400Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:16.377{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15397D99C4ABB88E7C98CA635BA6B9B,SHA256=CA06F41B509BAA008F91E9E89728FA714B9015368B78C72746DF11BC4FC6CA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048516Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:16.228{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E86DFAA1E9536B3D5A2640096B56663,SHA256=01EB725324CC56F931F32CD8BB105CDB39CE96C4CF25D38BC9A2429B55CAD39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029402Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:17.377{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1653BA4340019F0B90344755D2B1AB6A,SHA256=C790FD4792F79908328AC5E52D1848F86CB7EBB564EFC89242AF35F50236B8DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048518Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:15.784{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57439-false10.0.1.12-8000- 23542300x800000000000000048517Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:17.243{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6B45529F1F95592738442D7CA4AC42,SHA256=71A6FF98C83E005111A6148B52C2E0170054C113B4AF34A7BDCB7142D401B656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029403Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:18.377{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F917C91F74822B130714DE3941F8879,SHA256=174986EC1FE87F2DA61A7EF020D74D033C45E804B225377B690D37744FC66E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048519Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:18.274{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE221359AE8E91DA7FB3073B3764A02,SHA256=CAFB91B3C03E39B5EAD3646A1DFD3441E4BBF6C416A3761E4C5112424AFBAEEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029404Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:19.377{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3BD6CF5CC483D70AB81A8704B7CD98,SHA256=62766B231AAF9E5796569462569C74064153956736C96A87890BC8D894FCB452,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048523Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:19.811{323FE7D8-053B-6136-6E02-00000000F001}44405196C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803046D18A8)|UNKNOWN(FFFF8659940A5B68)|UNKNOWN(FFFF8659940A5CE7)|UNKNOWN(FFFF8659940A0371)|UNKNOWN(FFFF8659940A1D3A)|UNKNOWN(FFFF86599409FFF6)|UNKNOWN(FFFFF803043E9103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000048522Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:19.811{323FE7D8-053B-6136-6E02-00000000F001}44405196C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803046D18A8)|UNKNOWN(FFFF8659940A5B68)|UNKNOWN(FFFF8659940A5CE7)|UNKNOWN(FFFF8659940A0371)|UNKNOWN(FFFF8659940A1D3A)|UNKNOWN(FFFF86599409FFF6)|UNKNOWN(FFFFF803043E9103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048521Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:19.811{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF724a3d.TMPMD5=4F8EF1C2D0CD074D7EF5CBE84B3E29E6,SHA256=5DAD2EEF2DD790596120355F9CB5804457452E6EEBD4F53B0DF824C4CF2242DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048520Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:19.291{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C150BEDF652887E8011BABA9FB3A16,SHA256=240283F45CE108689B1E0DF811AB4B017AEEFA04665D8603F4D355BC0D10A7F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029406Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:19.057{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029405Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:20.389{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9A367ACA6107A503997A152DFDF8D8,SHA256=18C04D3334E87FA7E1EA666BD0E003CDCB612732BADB1266D688BC674EDA2B52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048526Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:20.758{323FE7D8-022E-6136-0D00-00000000F001}9045860C:\Windows\system32\svchost.exe{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048525Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:20.758{323FE7D8-022E-6136-0D00-00000000F001}9045860C:\Windows\system32\svchost.exe{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048524Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:20.326{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCCA20E25399A148611B548ED205918,SHA256=37623AC73C3D4874F31850BF48C277F57C98B3B78626D66B9BFEFABF84EE6E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048527Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:21.373{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4E191C3639DA2D552A200971BE950E,SHA256=8473D20624149DFA22B026BE7974BC94D485E0FE20A7891D140DEA72B3EBB4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029407Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:21.405{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5467AACB189A6DA355A24E4899C90B01,SHA256=3B62042439D1CF089F51EA68AB1E46A27998C6CBD66546C39B6C97B25E21A452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029408Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:22.420{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB5712A3215B2FB5DC52062D4BB98F7,SHA256=AF1371EC6A13D28A0DBE474C53EFD107F9C7B641CA2F3EA0EFFBE9B7560940D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048529Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:20.804{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57440-false10.0.1.12-8000- 23542300x800000000000000048528Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:22.425{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24C8741F43AA3A7EC32F2D06AC7A150,SHA256=495D364996EF63CCACEB6933C7DF1277464A7F19CFC16AC56B0C7C7E8A0102E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029409Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:23.420{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FFCB20E62FC2FBD969D741CF047466,SHA256=8C1B9A3ACE47941857E522020B7D99DF850B96CDB54D0AF69B52919956AF95E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048530Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:23.456{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7953C827FE74B6AA90DE50DC862764D,SHA256=4361B4286BCFDC4C2D50375D330E46988DA6C1963BE828174CB4E79077D48D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029410Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:24.436{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2909C90498DBE0054D5DD20E7AFCC625,SHA256=EA421AD49C1D95D28943A727A2F67F924AFF0DE49A2D027BF4828E88FF23EA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048531Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:24.471{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68579175F8C1EFF8B5F145DCEFDB8AB3,SHA256=983F4666FB7322D27073C4280DC069DE1B02C47E1FAADB5F08BC38B4171FA84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048532Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:25.472{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DF1B6D98D4FF9CE7562A487F52B310,SHA256=F4B562A123962A2B2A6CE7EE4857729719BF7687D4EF6205207939CC6C155A1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029412Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:24.069{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029411Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:25.452{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BFA9A6D484CF36674638189B06B072,SHA256=1E0279BFC678B8E2CF60ECF560DDF38EB74C76CE398EEDE866B02A93EAC9BCCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048535Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:24.505{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57441-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000048534Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:24.505{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57441-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 23542300x800000000000000048533Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:26.480{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A518E2579BB98D7F160CB941D80572,SHA256=5446977A3A99AAB0C15A87DF6DF342B9A28544CD33A06B454F26D1BF02D85F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029413Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:26.483{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA70714A5E7C75E3E97438AF54EED79,SHA256=FADE1171ED05ECC5B52781EB7C909118D7D4E9CC8672160C1A6E7BFC45B423FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029414Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:27.514{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A1ABE30E59DF1C95B82EF3B36D2B89,SHA256=37E1ECCE77D56232A25ED8C9EB484E9E3B1967554C80121D7E68396FB5FEF13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048536Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:27.498{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99F49FAE5F165C1F08CBA545BDB7900,SHA256=D64DD471CF38FAEC1F8B6C0E28410E2E75FD5C2C891BA7CD87B284491A3F7157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029415Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:28.561{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F8EAD967955AD8649CCC41C91B4C89,SHA256=ADA48925E300A6229C7E3806070453523F26BA10D8FCE1298B37E453A51349E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048547Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:26.788{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57442-false10.0.1.12-8000- 23542300x800000000000000048546Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:28.532{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6F79F9F77B08B42C1624731895A468,SHA256=9EDB2ECD409BE95DBABBD5866C75CE7C5B9DAC5E7E685A4DD83FFFB29A6EF045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048545Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:28.347{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=FE0A4F300CAD354FE3152E130AD0F9FE,SHA256=6751C5F9D5BC8F148C74EE7647C87B584CCC8571B848C00B0EEEA5C96D25AC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048544Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:28.347{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=913B982D61CF628D277CF432AEBA4454,SHA256=979202B2C5CF06F70C09832E0E2A31DCE08064ADB1FB43253B3A1FBB76B2CE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048543Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:28.332{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B3AE5FA3613CCDC0869FF8A88594A895,SHA256=7B697D15654A5114041EAF60F79B18F5940E603191F921CD755D23DFEB8772ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048542Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:28.332{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=FFA689B060217BF5376F5A9C37B5882F,SHA256=FC81D99E71E7033B975A23DF3D01A987513E4CC5282A638C7680E3A88C934BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048541Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:28.332{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=7211339E8BF8EFD7947E359CF122FEDE,SHA256=990D99A9A99A5DEB3EB3D034FCA07647A755115917950168D5D4106E29DB6599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048540Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:28.332{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=1CC343795A78A63741CC5193C171F358,SHA256=593B84CDF9E30834554D69526D9DE169A94098DD870CC5D876D69FC5272D878F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048539Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:28.332{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=417749E3E6E69F71AB2E397CB366004F,SHA256=6718509AE9505954E199273783216FADA0CD79387BA010DD617DA159246E652A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048538Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:28.332{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=62FD336D14406E37DA254FE479884644,SHA256=9A74F075C40A7A6BAAA75F0107BFC86FA077620A4771C20B1FBD3EA6529C4987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048537Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:28.332{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=5373D0D9D7549407C67AEAA762324CEB,SHA256=6441236E8AC326A5F3008374AE5ACBA684A38A1A2757A8053A4BD882F65C1980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048548Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:29.562{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE45DBAF065FFC33C82E7D4B97EC228,SHA256=3851AA56C57A3B75A758320F8C192E6A68E29C7ED0866734F62222B1AA14FB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029416Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:29.577{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3458A7494C6ADE0FB85928948D071E,SHA256=BA4411F9222941664E27A7B1E7098230E44E94DD71E2848F35A2597AEEC9A0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048550Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:30.747{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048549Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:30.596{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1AC8F1C086DA7D68B5F9723A41AC52,SHA256=2F706C9D3E9FC09DE872289FD9B10932A72939B9764F3550BE146A13154EB9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029417Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:30.577{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847FF7F665F6F2B59A009A9D1324A010,SHA256=CC2457548182F9BC1D71DCA000BABE3724CA9F2E550BCF02C91DB10C8CB5335E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048551Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:31.662{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9EEE8E5BC3EF45D8780C475B6D8083,SHA256=3DF3087507530F1800D8B2245491C937BB15C1A0E40EE1F4F3E2A86E02A5C5FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029419Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:30.053{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029418Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:31.577{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E8184B9D35F9CEFAFCE00158DD69B6,SHA256=D0E0881526BB8F8E19089EFC8C509B8BBB1617BD8F1A886E43C6B6E063DD5641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029420Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:32.592{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D555417B3F5E3863340F12FA7090572D,SHA256=FE117359821450223538ACD6A74AD7375F760D18D3B020179B143140CC875127,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048553Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:30.325{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57443-false10.0.1.12-8089- 23542300x800000000000000048552Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:32.677{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5781BA2AED2EE1B9B6D87753BB9F91,SHA256=8832FD511C5023409248F4EF3B883DF819FA59A15A67630DA6584EB1A6D55EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048554Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:33.695{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AED41A2AB0EF492508961E9B2465732,SHA256=08C520F04BD73C4AB86D41E654CE3FFAEE85BF3EC71F0446D577A7B3D056FEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029421Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:33.592{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6D8F6BCD43BD2AABD96BA1D11E2801,SHA256=3D8180234C15C5F65001A8F00E0FD8AE26EC3DA98D6A83878B41F1591A15C53D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048556Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:32.787{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57444-false10.0.1.12-8000- 23542300x800000000000000048555Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:34.730{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFD5CB8A3A3EB3CA3D78B9EE4652097,SHA256=DE1B179255973485ECAC05EE41BC919BDEE18E6C199EAD064FEC8549FE06D152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029422Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:34.592{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8631F296CFFDFBA001BC187FF30A9E3D,SHA256=A4EF3D17401E02028FDFD6EB6C805E4767BE271B36B89FDB4610FE1056D895FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048557Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:35.760{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67443411D8B8CDA3ED3B934CF9A401FE,SHA256=D7B46999A12AA057BECC2BF26E341B9C45FAE5529998D1083B0A0E9670BF40E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029423Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:35.592{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D47261CAFAEF0882A755460E8B7271B,SHA256=9C7C7141211709522B555627E4D620F7314DAE63B4F3D8D2AA221CD5B8121EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048559Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:36.791{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCCC7F892ACE6FC6F2971A0A9F0E600,SHA256=C01BE3D2A8D5EE50B31180DF34ED34A3973635225954379E22D91B3B56461C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029424Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:36.623{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B590F2241D091CEF177DA075683F8B,SHA256=0E38610A28D1ACE441DA95D13680E438977720EE484E4F00073C5DD3B2270F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048558Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:36.408{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8B2746E2586DB5B5CF86A9CB4EEBBCB4,SHA256=D7F16D63E6DE3F1CFC7AA7C7B1E291208669ACA6EBFFFBFDBDB395C7BAD913FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048560Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:37.810{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0456F06F11D4108456A9A720B56A6F0F,SHA256=F8D4EA4F4B3964A06EED5CE1E88B90609995A6908D93EDA9C4C247BDBC870DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029425Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:37.639{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC94AA9D91E44F88251FAEF749FB9779,SHA256=D74A292E612920E36E9E1DEDA9A453534B4BE88C2055AC57DFED0F6F78C9320E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048561Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:38.831{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADE33FFAA1BEE26E810C7BC5FC0116A,SHA256=6C5B3B78CD8F5BA9920B014A51969F7EDABE01B06E4B24650FE256FF81619A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029427Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:38.655{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0348B5F663AF956AE6F9D44FA82C859A,SHA256=01E832382866233A136939C6A7FC0ABF77D6719070958F8B6639D466AFB57CF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029426Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:36.038{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048562Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:39.835{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79DCD0456AF636CBCEDB98971D24239,SHA256=01E25A408D4F3EE2790C60B56460A137A572638AE9CCA57D0455F5C1BC42C7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029428Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:39.655{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAFA7BD7608BA0D9763596D8C70DF9A,SHA256=798F1BFE01DC4310615C389347B586D8374CF221C9DD9EC2D89E652401742CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048563Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:40.850{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F29D5CD594D787FEE4207B8C85B336,SHA256=B79AFBA0E86EBDC81C4E258B33E8301A6B127CDC7E0628329F1B57EFA3862430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029429Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:40.659{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78364FAC78DA4E2D98059F6A392668C,SHA256=16D4537F69D3CEF53249DE21069A5D471BBA57CB4B195E82357373F1F06B589D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048564Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:41.865{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D012A030C8414A09857BD19842E7AD,SHA256=9CC4A7E6C88F6DCAD93FC0DE4EF81C9D23E783330F342654C31135B1593F3571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029430Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:41.706{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8BA289173381BA8A1733C819BBE3E3,SHA256=6E5E1816EFF9569AF179EF53F131E03C8DAD96BC3BD1DAED560BFCF906C5A270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029431Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:42.722{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAB60839E3CA1E8DE46C9519CF3B747,SHA256=956517F125E89A8258BCA036537935E71C129AC95501398FE857CF728B4B7EAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048592Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.396{323FE7D8-053B-6136-6E02-00000000F001}44406124C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048591Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.396{323FE7D8-053B-6136-6E02-00000000F001}44406124C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048590Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.396{323FE7D8-053B-6136-6E02-00000000F001}44406124C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048589Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.381{323FE7D8-053A-6136-6802-00000000F001}51044592C:\Windows\system32\taskhostw.exe{323FE7D8-1F82-6136-7909-00000000F001}3192C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048588Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.349{323FE7D8-053A-6136-6802-00000000F001}51044592C:\Windows\system32\taskhostw.exe{323FE7D8-1F82-6136-7909-00000000F001}3192C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048587Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.264{323FE7D8-053B-6136-6E02-00000000F001}44405000C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048586Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.264{323FE7D8-053B-6136-6E02-00000000F001}44405000C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048585Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.264{323FE7D8-053B-6136-6E02-00000000F001}44405000C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048584Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.264{323FE7D8-053B-6136-6E02-00000000F001}44405000C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048583Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.249{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7909-00000000F001}3192C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048582Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.233{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7909-00000000F001}3192C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048581Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.233{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7909-00000000F001}3192C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048580Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.233{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7909-00000000F001}3192C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048579Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.165{323FE7D8-022F-6136-1600-00000000F001}13081976C:\Windows\system32\svchost.exe{323FE7D8-1F82-6136-7909-00000000F001}3192C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048578Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.165{323FE7D8-022F-6136-1600-00000000F001}13081348C:\Windows\system32\svchost.exe{323FE7D8-1F82-6136-7909-00000000F001}3192C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048577Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.149{323FE7D8-1F82-6136-7909-00000000F001}3192876C:\Windows\system32\conhost.exe{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048576Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.117{323FE7D8-0537-6136-5702-00000000F001}27563676C:\Windows\system32\csrss.exe{323FE7D8-1F82-6136-7909-00000000F001}3192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x800000000000000048575Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.localInvDBSetValue2021-09-06 14:02:42.096{323FE7D8-022E-6136-1200-00000000F001}768C:\Windows\System32\svchost.exeHKU\S-1-5-21-2499254954-2221441311-2395027858-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\1.batBinary Data 10341000x800000000000000048574Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.096{323FE7D8-022E-6136-1200-00000000F001}7683608C:\Windows\System32\svchost.exe{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048573Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.096{323FE7D8-022E-6136-1200-00000000F001}7683608C:\Windows\System32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048572Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.096{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048571Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.096{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048570Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.096{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048569Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.096{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048568Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.096{323FE7D8-0537-6136-5702-00000000F001}27566472C:\Windows\system32\csrss.exe{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048567Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.096{323FE7D8-053B-6136-6E02-00000000F001}44405688C:\Windows\Explorer.EXE{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048566Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:42.102{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" "C:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x800000000000000048565Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:38.640{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57445-false10.0.1.12-8000- 23542300x800000000000000029433Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:43.737{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA609B2C6320447A8F77F4B2004D4D04,SHA256=82027446542DA5136B4825E53AC23DF092444EC0C57C7E4408396803AFF6B959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048595Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:43.349{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47309035C78C7EDD6A8D59410936E1BC,SHA256=323199AE92FDD62A749FCEA638F1D1129B66031D8A018022F2E61928D1395444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048594Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:43.349{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CA64DB30A2460854441FC62E8651B0D,SHA256=41BECFB5069F2B940093BB2A3C716736217A31EEDDC553454988E7F8C37846C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048593Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:43.349{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5452A96F070CE94F66DE881C777374,SHA256=7529D4F15259BBFAE9E1FC006F10B45956CFB1FAE610E353EA5E223361B4DA47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029432Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:42.058{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029434Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:44.769{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63FBF41041998314AFEC208E87C72D6,SHA256=B80E996E775FF289FCB31126EE4FB102644F529683770F3B281C08698C5156E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048596Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:44.365{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE16BD39D5A9A6BEC61AFA7CA6F10DDF,SHA256=F913F826B1EF1AF697541A04EF430DB26A251CC3D656A502C20EAB00C507FE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029435Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:45.769{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EAC30676AA9332CD98F499106E4DB9,SHA256=54CC29CDAD425B431F5B6443BBAFB393667DBEB50F4BF986B5506DC1C9E591C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048641Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:43.805{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57446-false10.0.1.12-8000- 10341000x800000000000000048640Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.738{323FE7D8-1F82-6136-7909-00000000F001}3192876C:\Windows\system32\conhost.exe{323FE7D8-1F85-6136-7E09-00000000F001}6424C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048639Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.738{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048638Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.738{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048637Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.738{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048636Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.738{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048635Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.738{323FE7D8-0537-6136-5702-00000000F001}27563676C:\Windows\system32\csrss.exe{323FE7D8-1F85-6136-7E09-00000000F001}6424C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048634Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.738{323FE7D8-1F82-6136-7809-00000000F001}38761884C:\Windows\system32\cmd.exe{323FE7D8-1F85-6136-7E09-00000000F001}6424C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048633Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.727{323FE7D8-1F85-6136-7E09-00000000F001}6424C:\Windows\System32\bcdedit.exe10.0.14393.4583 (rs1_release.210730-1850)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /deletevalue {current} safebootC:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=18A7F41EC0239BFA02C9B3903356377E,SHA256=DC21C5A8BCAA1EDA369801A297FFB1AB6AC73887F676E25A71140BDDC5553462,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 10341000x800000000000000048632Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.685{323FE7D8-1F82-6136-7909-00000000F001}3192876C:\Windows\system32\conhost.exe{323FE7D8-1F85-6136-7D09-00000000F001}5780C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048631Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.685{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048630Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.685{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048629Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.685{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048628Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.685{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048627Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.685{323FE7D8-0537-6136-5702-00000000F001}27566472C:\Windows\system32\csrss.exe{323FE7D8-1F85-6136-7D09-00000000F001}5780C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048626Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.685{323FE7D8-1F82-6136-7809-00000000F001}38761884C:\Windows\system32\cmd.exe{323FE7D8-1F85-6136-7D09-00000000F001}5780C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048625Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.691{323FE7D8-1F85-6136-7D09-00000000F001}5780C:\Windows\System32\bcdedit.exe10.0.14393.4583 (rs1_release.210730-1850)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {current} safeboot networkC:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=18A7F41EC0239BFA02C9B3903356377E,SHA256=DC21C5A8BCAA1EDA369801A297FFB1AB6AC73887F676E25A71140BDDC5553462,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x800000000000000048624Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:02:45.670{323FE7D8-1F85-6136-7C09-00000000F001}6264C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon1 10341000x800000000000000048623Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.654{323FE7D8-1F82-6136-7909-00000000F001}3192876C:\Windows\system32\conhost.exe{323FE7D8-1F85-6136-7C09-00000000F001}6264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048622Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.654{323FE7D8-0537-6136-5702-00000000F001}27563676C:\Windows\system32\csrss.exe{323FE7D8-1F85-6136-7C09-00000000F001}6264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048621Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.654{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048620Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.654{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048619Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.654{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048618Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.654{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048617Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.654{323FE7D8-1F82-6136-7809-00000000F001}38761884C:\Windows\system32\cmd.exe{323FE7D8-1F85-6136-7C09-00000000F001}6264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048616Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.661{323FE7D8-1F85-6136-7C09-00000000F001}6264C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /fC:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x800000000000000048615Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:02:45.654{323FE7D8-1F85-6136-7B09-00000000F001}6724C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword12345 10341000x800000000000000048614Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.638{323FE7D8-1F82-6136-7909-00000000F001}3192876C:\Windows\system32\conhost.exe{323FE7D8-1F85-6136-7B09-00000000F001}6724C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048613Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.638{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048612Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.638{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048611Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.638{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048610Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.638{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048609Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.638{323FE7D8-0537-6136-5702-00000000F001}27563676C:\Windows\system32\csrss.exe{323FE7D8-1F85-6136-7B09-00000000F001}6724C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048608Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.638{323FE7D8-1F82-6136-7809-00000000F001}38761884C:\Windows\system32\cmd.exe{323FE7D8-1F85-6136-7B09-00000000F001}6724C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048607Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.648{323FE7D8-1F85-6136-7B09-00000000F001}6724C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 12345 /fC:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x800000000000000048606Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:02:45.638{323FE7D8-1F85-6136-7A09-00000000F001}4984C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserNameadministrator 10341000x800000000000000048605Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.638{323FE7D8-1F82-6136-7909-00000000F001}3192876C:\Windows\system32\conhost.exe{323FE7D8-1F85-6136-7A09-00000000F001}4984C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048604Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.623{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048603Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.623{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048602Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.623{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048601Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.623{323FE7D8-0537-6136-5702-00000000F001}27566472C:\Windows\system32\csrss.exe{323FE7D8-1F85-6136-7A09-00000000F001}4984C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048600Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.623{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048599Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.623{323FE7D8-1F82-6136-7809-00000000F001}38761884C:\Windows\system32\cmd.exe{323FE7D8-1F85-6136-7A09-00000000F001}4984C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048598Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.636{323FE7D8-1F85-6136-7A09-00000000F001}4984C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d administrator /fC:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{323FE7D8-1F82-6136-7809-00000000F001}3876C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 23542300x800000000000000048597Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:45.386{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2982D17EA76D1CD3F2718DBAB6FB012D,SHA256=19423244455F5B990CB75269AE42E6EA7F4E35049B14AFE2F4A4670C43C7DC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029436Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:46.800{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF218267F0777E8E6263FF6956F5107E,SHA256=42AE58E3412F1587DAB23BD1AEAC0580434333298CD3CA3C090CCDBAE4829908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048643Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:46.718{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1038DF4B6940C7185F06FB7A53C76A16,SHA256=ECD51AE8F0C79A3213C7745492A6B1A78E32A0C91BD1462DE66F6C95B5CAD03E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048642Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:46.717{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47309035C78C7EDD6A8D59410936E1BC,SHA256=323199AE92FDD62A749FCEA638F1D1129B66031D8A018022F2E61928D1395444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029438Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:47.836{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747ABB096720DCD89FF5945E1ECD0A28,SHA256=5E8A7343FD444D584F406120E50ABF7F2EF0CD0749076B6F7638228C742EE0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048644Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:47.753{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9636EFEDCD5838CDB585E0462077F214,SHA256=3E097B1748F56FD5476177A41B1F1AF13BFC20AE400357E21B9CA50674242B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029437Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:47.694{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-113MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029440Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:48.866{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE97873519232338B9F9EDE135862ADF,SHA256=8A1BD0E0FF79E86FED733F2607F07AD5441FA410D3A3214A64CC0C4EBE5BCDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048645Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:48.784{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD88E9A4E2BA68DCBA42592C7AC9B06,SHA256=8E0DD9B9164745C702FD166369AE02403F7F5B5240BBCB7E68DD50928C6A2A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029439Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:48.697{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029442Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:49.884{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0643FEC511F96BF33CB748E4371D5938,SHA256=0FD0EEBC6DB71E3978A7D48D8AD17D35C46575295F311763984C65EFA6538E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048646Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:49.817{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00C13811F819DA1155CAFBA80AC1BE9,SHA256=708D759BE46D33288E18DC560D64DBE6AAA2B2382D93226EAE86254A2A225612,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029441Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:48.048{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029443Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:50.915{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D88C4E03DAF5ED336323F1B3D4359FA,SHA256=7BE9C1C6E0832BC6E3700313419E5906A7F395727618B6E43A38FEE19A1CA1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048647Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:50.852{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318B043B98FB66CD151C80ADBECE6F0E,SHA256=60F8FA9215B540CCA0DE470AEE12864DF1663042C168E7CF414E03C07CCE0222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029445Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:51.931{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64FA19CCEC2D71C417E79BE73927DC9,SHA256=7439EB3A4E328FDA0D66FB4F634150AD96BC21F1530ED0DC8EE6A5F83007E7A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048657Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:51.884{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E1C2056150B133BA9B505EDC7BE6F4,SHA256=FB60C8AF49F7C36EDCE5B642FBE943F7B2A50C49D37221F744BBC0B4B91A1833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029444Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:51.728{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=04FD02A04D7BD20AFDD6D83CA95C591E,SHA256=16D9047D02BCE14CA85D5AFAA5851686A284E9D9CDD4C58C8CB3E9658CB71DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048656Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:51.484{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D83EC6C84D5E76CF0EB4DE94415EA39A,SHA256=0679655DAF37DA30DC9BA030456CFB2DB36705DDA7B7F8AAB5C4151FD4A2DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048655Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:51.484{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=FA07BDDA2B1F61527D7C17579D26B400,SHA256=8D64FD71E6C1B377CFC2700B87E33FD8B6BE4654696A286B423144692564E884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048654Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:51.484{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=5BD50C3607F93FEE3AE00A0F984B755D,SHA256=9F71DC620475EB4E8D87F967E2D134AC16F23AB4C078EE3C7DC0D0DDD9860E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048653Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:51.468{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B46F620A536E08CD274533B8E98DB47C,SHA256=A97B69C2D821BDFF1F6F001CCEAE6D4EDE113811AF905E56BB40720E13643855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048652Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:51.468{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=DB84F763772B1F83580547729D299A5C,SHA256=9D93E99AD741F19F11C3FA25F2B04A81E1017C11FD06E6DF2F7B70B1FE154A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048651Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:51.468{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=EC0C74BF86A9676BDE63C850663045D0,SHA256=7D4A5C1CD4B73E822DC86575492102B2FE20A8855A8F263782FB8D6A0B916747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048650Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:51.468{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=6A94164FA4E23575A98516F5BD49AB6F,SHA256=5B240FBF0D24ECDC1D38072E849D9828A765CA099632B555958B70D6B9D43FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048649Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:51.468{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=89867C6B95526B86DB661108A4B51B02,SHA256=C38B119B2E461FB820C18A78730D127E5B53A1410E7018D553737E29C69A5A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048648Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:51.468{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=DE8A07582288A129027BCDA429698367,SHA256=7C0BB8DB5D180A4D00571D4B5DF1CB607DC43BA3A1E4C6652BA4572C9DD81A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029446Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:52.978{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32806C1F7012E4041360CF677BE9DA7C,SHA256=F82946B82F0AAC5453B3661691B459C39C8187BF4D761E5CA9AC9652BAFE0A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048659Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:52.919{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164A1D7161FF6ACA2387FDA1D903CEC1,SHA256=8198B46F04C39A8C16B3C5F77E75AC757DF4D741973821AAFA391AF1CC385F91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048658Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:48.812{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57447-false10.0.1.12-8000- 23542300x800000000000000029447Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:53.978{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF0E4E5BF90E598B4D0110DC71C11E1,SHA256=77E3D5221B2988017BF0457ED1D1028D40FE361733737AE7D3960F7A0FD41BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048660Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:53.936{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA5F731309DADD4B9D052D7F4C638F7,SHA256=F7E16A5D623E3BCE39E9BB11D4E0A171217E029B807703B5B7ABD4ECEC87A9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048661Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:54.951{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14722811B413C0DA929062A25F4CBC6,SHA256=9C6788735DA88048FA7F9C95E9B78963CB232C74BBE0A5033851C09F58145893,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029451Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:53.064{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029450Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:54.040{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029449Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:54.040{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029448Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:54.040{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041E-6136-1600-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048662Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:55.982{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D699B7569EAD851348ECD9A1E720AE9,SHA256=F4A96CE9B2BB31D8B8EF3A8A19294605CB08FDB40D07C61FC27A66764FFF1E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029452Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:55.009{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BA55CA9AE78F209CBD43BAA3D0338A,SHA256=BBCDB50426BAC098F13A45B5037856FD23B86FB8B19CC6DE006515989EB70456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029453Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:56.040{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A885139581A59C564C1BDAC678D5C7,SHA256=08910C7487BEA9BE9FF76F96E1D92A945F0877BA4AF513E94CDE51AC8A76074E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048663Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:57.016{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2039DEBD6250545E1FE02A6A63C8033,SHA256=79AB9D604EF81BE230E50D79160B9E68BF7788FB834D9197D6F067893C92CAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029454Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:57.056{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CD9F019C212FA86B4899FA1536D904,SHA256=39FE472ECD88C68F04E8542FD084DABE8573FF54BB9474F9575DCE0FC78DD105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029455Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:58.072{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0A2D6A7A1B56356EBF4E18D2C318D9,SHA256=436866B16A0A41E360B86C072B5CFD49A51AB986E43CA0B40ABE682AA5270691,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048665Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:54.807{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57448-false10.0.1.12-8000- 23542300x800000000000000048664Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:58.051{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B80D6C5051E73820080F5E43B920D7,SHA256=A7D7CD68CD6C44E41AB03E63C4F1ADDB308056E63C2CDE7906470C4FB5188C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029456Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:59.103{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D345F141F32C06ECA8AD4E3FEDE938,SHA256=97F9DB976FA98F365FCA03A5F127F9A10F1E4FC305CC313AABFABD3078730921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048667Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:59.484{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-121MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048666Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:02:59.082{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB91C6120B030E6363A8A6FD4217C91A,SHA256=7E6D6975BB94148489C5CAB118C2CA25B1B70E1611AAC386DA011D522E1DD7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048669Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:00.486{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-122MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048668Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:00.101{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1005BDC2123C3E5C2E447698BDCF3A2C,SHA256=C711D6DD25EE847AFE964631B43379913A4205462F269C4EC2C4778E24FB37A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029458Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:02:59.080{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029457Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:00.104{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2FEA6F91B61540606DD5AECD90FC12,SHA256=3C7FC8D655833E8777E7503F7D2213EB415F22BBF625D658F611A816B0A9A0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048670Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:01.103{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F623345F32F94D63A729AC02D79BEB1,SHA256=803AB26AA962ECBABD292DE0626084098EAA2E4FECC8C4EFA9CAB965489E2077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029459Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:01.120{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84402985250DCFDBBD6FFEF9AFAD7736,SHA256=A60B06A43F4AF84176D1A5C6AB77648DC15128BFE69FA61AFD6F4F07A9334D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029460Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:02.120{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAE744607825BC750632B6835BBDE2C,SHA256=8074B3E930348FD46D45A6495CF170F3A0FB4478A16D6294FA13758B9CDDBFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048671Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:02.119{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4441F800663A4DACE190FD8925B75B62,SHA256=2A3E185ED8AA06051AFF19755A45B0573D48079C60AA04892331DC85E86AFE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029461Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:03.151{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEF3607EF3B776841EC73181D4C1029,SHA256=B6D4F8CDC5A0F6D47CFA781B1C4B6ECDAD3FE477305D1EC6CAAB8AFECBE86185,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048673Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:00.647{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57449-false10.0.1.12-8000- 23542300x800000000000000048672Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:03.137{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B713AD04187E655BA2D13BF3244BF0,SHA256=4D3097D68DDA0CD4A5EA68B7DA1B6B9924183F4EFA9C706D2696359FB9AB67FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048690Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.757{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F98-6136-8009-00000000F001}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048689Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.757{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048688Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.757{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048687Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.757{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1F98-6136-8009-00000000F001}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048686Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.757{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048685Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.757{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048684Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.757{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F98-6136-8009-00000000F001}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048683Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.758{323FE7D8-1F98-6136-8009-00000000F001}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048682Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.268{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F98-6136-7F09-00000000F001}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048681Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.268{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048680Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.268{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048679Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.268{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1F98-6136-7F09-00000000F001}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048678Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.268{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048677Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.268{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048676Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.268{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F98-6136-7F09-00000000F001}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048675Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.269{323FE7D8-1F98-6136-7F09-00000000F001}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048674Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:04.168{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAC100B4BD7BF70017C81F7807AF87E,SHA256=6F47A559FFBDA8CA8261942A0E5512208ABE9F41F182281354AF7B32BA6B1C46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029475Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F98-6136-EB06-00000000F101}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029474Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029473Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029472Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029471Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029470Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029469Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029468Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029467Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029466Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029465Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F98-6136-EB06-00000000F101}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029464Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.557{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F98-6136-EB06-00000000F101}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029463Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.558{FFF7FB96-1F98-6136-EB06-00000000F101}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029462Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.167{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4FD6FBF499DBF9DFD1E11922F5E65F,SHA256=97EB50864A1EA3B7A1311B0662A2C83F61212CF65E8B1472330621E3FCC9FF47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029504Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F99-6136-ED06-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029503Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029502Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029501Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029500Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029499Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029498Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029497Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029496Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029495Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029494Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F99-6136-ED06-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029493Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F99-6136-ED06-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029492Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.886{FFF7FB96-1F99-6136-ED06-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029491Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.557{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDA44CBCF19793525C95F5DE6BB15892,SHA256=683CBBAE245D5BC977B4A056CE190DF63A9A1E15ED749E8C3AF3F80FBB2E8BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029490Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.557{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34C3C0E36A3DB5DADB81B84DCA902C82,SHA256=8FB075F757FB141A34E7849068924962D1F1FD2F28520753C1448C0555A24239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029489Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F99-6136-EC06-00000000F101}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029488Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029487Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029486Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029485Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029484Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029483Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029482Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029481Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029480Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029479Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F99-6136-EC06-00000000F101}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029478Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.214{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F99-6136-EC06-00000000F101}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029477Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.215{FFF7FB96-1F99-6136-EC06-00000000F101}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029476Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:05.198{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358222F3180307786F3CA71BC1044AD9,SHA256=B9CA20A0C044A70A4120DCB02CC6AC9BD7219C69EBCA1AF94BCB0B4C08A9D1D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048702Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.397{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F99-6136-8109-00000000F001}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048701Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.397{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048700Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.397{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048699Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.397{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048698Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.397{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048697Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.397{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1F99-6136-8109-00000000F001}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048696Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.397{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F99-6136-8109-00000000F001}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048695Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.399{323FE7D8-1F99-6136-8109-00000000F001}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048694Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.282{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2080ABB25930AF489A8362012B905692,SHA256=E48BA2547844B6332857CFAEFE0B9356E735AB4999A8EA3EF0C1637F24C18681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048693Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.280{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFBFFB639EAB3F11528A492FE166A32F,SHA256=0A12DB75ACF7CE4F4A9193801FF0A960EFE8B292B20AA6D9AA469B8D8C0948A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048692Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.182{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E232BEBAE75001B70B19976E4D1A97,SHA256=8763EF762CDC4E758F0859BCEF818168E5AC0B282B4B2432321C923A24CF37AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048691Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.066{323FE7D8-1F98-6136-8009-00000000F001}6420596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029509Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:06.932{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDA44CBCF19793525C95F5DE6BB15892,SHA256=683CBBAE245D5BC977B4A056CE190DF63A9A1E15ED749E8C3AF3F80FBB2E8BFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029508Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:04.928{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029507Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:06.714{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A2DE72E0963B11003DC05B5408F955,SHA256=4B8796F2977939389D9FEF221B2FFF04976AA4C018CF0B7F752900D7E02CBE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048704Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:06.398{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2080ABB25930AF489A8362012B905692,SHA256=E48BA2547844B6332857CFAEFE0B9356E735AB4999A8EA3EF0C1637F24C18681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048703Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:06.198{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50948E875409A3659B23874235C81C63,SHA256=0559D3D3D830020EDAEE6B3BBA69EACC8CD607E617592791FD40AA333E39D121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029506Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:06.198{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029505Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:06.026{FFF7FB96-1F99-6136-ED06-00000000F101}33002596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000029525Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:06.035{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029524Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.761{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC6CE8B5EF3A1C504F2A0651A1726F5,SHA256=3F81211688E89F05B8E4DF49EB9A857DE2A7E301A31D42959C5EB4A6B44E1BBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048716Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.660{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F9B-6136-8209-00000000F001}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048715Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.660{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1F9B-6136-8209-00000000F001}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048714Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.660{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048713Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.660{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048712Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.660{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048711Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.660{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048710Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.660{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F9B-6136-8209-00000000F001}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048709Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.661{323FE7D8-1F9B-6136-8209-00000000F001}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048708Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.413{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048707Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.413{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048706Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.413{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-022E-6136-1500-00000000F001}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048705Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:07.213{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3862E84352BFE196F2AF6FFC06A06DA1,SHA256=5073537B610C9937D9D18EE07A67694CFCDE65748664B276F5E91A68D01554BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029523Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.495{FFF7FB96-1F9B-6136-EE06-00000000F101}9883228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029522Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F9B-6136-EE06-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029521Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029520Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029519Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029518Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029517Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029516Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029515Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029514Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029513Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029512Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1F9B-6136-EE06-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029511Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F9B-6136-EE06-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029510Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:07.339{FFF7FB96-1F9B-6136-EE06-00000000F101}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029554Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.854{FFF7FB96-1F9C-6136-F006-00000000F101}36084048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048730Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.746{323FE7D8-1F9C-6136-8309-00000000F001}39682576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048729Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.662{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47DAF25D12299349F4094A38D42E6C3A,SHA256=85DCBF590C04C5E6EF08DF77D865AB848BECB30FBA994768CF66810AE7CDA79D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048728Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.547{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F9C-6136-8309-00000000F001}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048727Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.547{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048726Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.547{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048725Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.547{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048724Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.547{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048723Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.547{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1F9C-6136-8309-00000000F001}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048722Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.547{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F9C-6136-8309-00000000F001}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048721Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.547{323FE7D8-1F9C-6136-8309-00000000F001}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048720Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.424{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57450-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000048719Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:05.424{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57450-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000048718Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.216{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5BE91A64C7FF38DFBBACB4CFA1170C,SHA256=48142244DCFDE9393617B3EA79F1328BBC647262868FFBC9FD7552E8C8EEE8EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029553Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F9C-6136-F006-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029552Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029551Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029550Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029549Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029548Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029547Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029546Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029545Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029544Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1F9C-6136-F006-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029543Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029542Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.682{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F9C-6136-F006-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029541Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.683{FFF7FB96-1F9C-6136-F006-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029540Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.370{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48830131D4A9BC7C051CF3223B8CE057,SHA256=211EF437499CA4D17AC340DD54C7224C273A019EC405846C1EFF9C993C4F3363,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029539Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.182{FFF7FB96-1F9C-6136-EF06-00000000F101}10043772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029538Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F9C-6136-EF06-00000000F101}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029537Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029536Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029535Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029534Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029533Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029532Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029531Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029530Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029529Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029528Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1F9C-6136-EF06-00000000F101}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029527Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F9C-6136-EF06-00000000F101}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029526Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:08.011{FFF7FB96-1F9C-6136-EF06-00000000F101}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048717Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:08.074{323FE7D8-1F9B-6136-8209-00000000F001}62964668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029570Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.885{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A295D1711EC1DF1282ECB48DAF89895,SHA256=53E6829A16BB086C5FE31B34832B98349DC07F5859BA051661205FE0638FF2B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048749Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.899{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F9D-6136-8509-00000000F001}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048748Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.899{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048747Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.899{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048746Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.899{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048745Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.899{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048744Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.899{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1F9D-6136-8509-00000000F001}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048743Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.899{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F9D-6136-8509-00000000F001}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048742Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.900{323FE7D8-1F9D-6136-8509-00000000F001}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048741Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:06.654{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57451-false10.0.1.12-8000- 10341000x800000000000000048740Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.484{323FE7D8-1F9D-6136-8409-00000000F001}63525308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048739Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.262{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2159FB19CF2CB708ECD27584D0D1A75F,SHA256=B3D4CD8FB36B14C1790DEDA112ACF48FE0310F300F91638F113729807E769BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029569Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.682{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57664859007740E08B42EA7AAFAD3FB,SHA256=C8D692A41B3E6A1D5F8938E5611F3F0E95F9B06050706C1AA4E4EBA0D24ED158,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029568Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1F9D-6136-F106-00000000F101}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029567Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029566Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029565Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029564Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029563Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029562Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029561Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029560Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029559Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029558Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1F9D-6136-F106-00000000F101}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029557Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.354{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1F9D-6136-F106-00000000F101}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029556Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.355{FFF7FB96-1F9D-6136-F106-00000000F101}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029555Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:09.057{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D706565DA3C008FD52D937AF999F637F,SHA256=EACDA8A94DA27553E35BA8B9AF1D827A6427A43C5546CAC4F6650DC55CDF27A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048738Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.230{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1F9D-6136-8409-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048737Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.230{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048736Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.230{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048735Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.230{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048734Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.230{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048733Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.230{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1F9D-6136-8409-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048732Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.230{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1F9D-6136-8409-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048731Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:09.231{323FE7D8-1F9D-6136-8409-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029571Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:10.917{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20360316E7C1603BC228A0626865B4D1,SHA256=69DBC1505FCBDCF6B971CE864028AD8CF75F11DDE434B7D5FEEC145AB618A13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048751Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:10.283{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354A6246480F268657E013D1F545B5BA,SHA256=039AF9BAAE744B3C1A7B8E36E342A0DD28045EF89D21ADF5FB2D27B0CB339340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048750Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:10.246{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C328294F1C3D44AC1F1C90279F6CF2DC,SHA256=C938F9C6AD9938E96839841FEFB5BFBF6E1FCF3963C335AFAAAB52028355EB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029572Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:11.917{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FE62ECD61E694DC38559E370EAC583,SHA256=A734DF2B138418A1E7BBBFEA2411F4827CB9F95150CFCAD573E9FB7621CE2546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048753Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:11.629{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F815F7C6FA9050771FA66F0D5136996,SHA256=AB9E65C3DD79140D0D9507CE66D1EB2DFA8CF225359944A5C344266F1588B353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048752Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:11.298{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F557C9339D38717F660212F1BDF3347,SHA256=237D4A42846330698B849015245DCD377A925FA495BCAD205422DD74E7573EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029573Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:12.964{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDCC3AF8A6A6B8E69088086FB30C0A5,SHA256=0D75461796BFB6B8EB740A34499A27AFA5A38FB185176888EC9A363FFDA64D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048754Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:12.300{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33F2D27CC8E9F20BC730335BFCAB8E8,SHA256=C053D0BCCC6408C78DA5296864200430835D6E7FB9789C6802DBB80BDEB79BE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048760Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:13.764{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048759Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:13.764{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048758Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:13.732{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048757Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:13.732{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048756Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:13.732{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048755Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:13.301{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20216F18D46EEB6E585A4A92BC7BF51F,SHA256=F3F5EA0D4D044A05FFF353A6B1E7410522A8D7A70C6C24D52126A9609F6FAD49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029574Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:10.941{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000048762Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:11.693{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57452-false10.0.1.12-8000- 23542300x800000000000000048761Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:14.328{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E15C15E4E935D154458CAEAD14BB26,SHA256=2165BF11B679A24439D3C2524045CB1E5D2507ACB97955D3BD9FC4BC9A341911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029575Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:14.073{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A853BE398FE543E20CA7BFDED6E7CEEE,SHA256=4FFE015391325B0658091CA22ECDF522CC5780E4103675714182732170A10BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048763Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:15.359{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C0295E4B092266A5370DC4EAC7747E,SHA256=BD8FB97464B5BC7B18C8DF3399D15B62DA1530604C6172E0096AF11C5CA9496D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029576Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:15.089{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80CE82FE6ED6EBEEDA31FD575C99EE8,SHA256=39C2B703F4C826C9CB3662033606F29E66409302414A7179B0079EC54AF6AD51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048764Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:16.374{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E44437C0E101876026DCCCDAA0AF1F5,SHA256=48A8B24B6EC21D4DE3F8467D3A6A34AE21225C627399D8628F587AF40C60AC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029577Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:16.135{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E851A6042932D61F20BBE0083A00134,SHA256=CFC8340080ADB9CDA41AC918DEBC87320BED541DD502BF4048F120DCCF9611F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048765Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:17.391{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079712BA31AB5801CDA6F28C702C41D1,SHA256=AFD7EFDEC6986252A83FDCAF5ADCBDD6BD870DB719F516291A1F2E56E06A79AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029578Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:17.182{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2E0F3FAD73E4C30936FD016F9A6FBB,SHA256=2914E85FB8244D2B92035B6374ACF85FB451BE384085C9581940188A52851FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048766Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:18.397{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7F6C60C5116DE4DA849C3225313239,SHA256=01A32DBB1DD14220B137DCDBF12855B9626FD8DF53499C051F5B0D6699412CA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029580Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:16.019{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029579Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:18.198{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03BD521D0B0B3CA7080B4AA3A89F26BC,SHA256=0A76C343E4E334004BD986BCF4E6CE2BB494CA80384893BCD0038B70ACEB2480,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048770Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:19.579{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000048769Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:19.579{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Config SourceDWORD (0x00000001) 13241300x800000000000000048768Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:19.579{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CED8D70C-FDB7-4280-B713-3A56B1B8A289\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CED8D70C-FDB7-4280-B713-3A56B1B8A289.XML 23542300x800000000000000048767Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:19.417{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9080AF6A34B8B5E9BE1154BD98F910,SHA256=6880EF9EE0ECC8C89A5927739A4D9905ADE45B8C25D73FCDA8A39A4D5BD8C723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029581Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:19.214{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B060681E2B6469A76C6EB6D94C65A049,SHA256=37D8DF30670492F469FEBFDE733AD15DD5CC35A058AD0FF7DE756BBCB747A33B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048774Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:17.636{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57453-false10.0.1.12-8000- 23542300x800000000000000048773Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:20.581{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0688B2CFF2C9967BF0EE255974C13BA4,SHA256=05EB3BE7269634B22BEDB42D776B3F2BF239B0F46F3562E7026CA36F90AF5B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048772Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:20.581{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F001761F332D181EF1920DBD03FC93F6,SHA256=A7A5842D39E15CCCC3694C3AF572F8DBB921EF665C22EE904470F8F7E93C8C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048771Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:20.419{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE0E25DB07D40D198DEE7C761FCFD5D,SHA256=3BC9DAC74AFD2E6FECE7E4A8E63E8929062BCFF4B63A2D797638DA985A4BB5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029582Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:20.259{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2B69038E2BF01B48A606F494C620F0,SHA256=2BFCA4B0BB13030A44319627F0D8EAD6A8E17710E8C452DC7B44B26200ADDA2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048782Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:19.200{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57456-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000048781Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:19.200{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57456-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000048780Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:19.182{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57455-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000048779Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:19.182{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57455-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000048778Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:19.159{323FE7D8-022E-6136-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57454-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 354300x800000000000000048777Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:19.159{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57454-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local135epmap 23542300x800000000000000048776Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:21.518{323FE7D8-0690-6136-1905-00000000F001}4808ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=06D7CD7C1127F6FFB142B3C054B9C9BD,SHA256=C4B0E46F4155BA37AA06C7AE47B79C4418F8A01D449A7BCE838CF0ADB1C338B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048775Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:21.434{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBB6B5547F98ED2F178F46414EA6064,SHA256=474FAC0F8220D42A34729D98EDBCD394CB3E601191C8E0E2E38EF86CE7A184EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029583Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:21.306{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5AFE7757A662CE1B5EFE6E206ACD17,SHA256=5B735BA9AF4034D8CBA6F7B0E1F4586D740EC0A3BC0C32C38E053F2E5E163168,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048790Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:22.453{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048789Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:22.453{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048788Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:22.453{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048787Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:22.438{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06FCC49B9DA0ADE4819FCC7BC9ACE82,SHA256=4B1EC03A4B797C402F6D5AC07B8E797DEEE0D65D15C62A7750E83A6B3B7769AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029584Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:22.306{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3ADD7DB01AE96F1099D941F3C73640B,SHA256=44C86993F09F11DDBEC81B39D072F0531906194C091BB33AE6C8E9889BEBE81A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048786Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:22.422{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048785Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:22.422{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048784Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:22.422{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048783Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:22.422{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048791Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:23.454{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D03A90A6AD1C667EB8886186E0D71C8,SHA256=1D4DD99DBE760A016DDE3F6E3AEC14E5732E248AAEC72B5C59A18778F149871F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029585Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:23.321{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D668DD41A217078B21ED051C2CFEF1,SHA256=812EBB1603CA4F885466FBAC070E44D8A8AE49CB4B34491D023259474B1DFE61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048793Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:22.833{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57457-false10.0.1.12-8000- 23542300x800000000000000048792Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:24.469{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34BFD816CD8544D2859F0F09B844D57,SHA256=DBE6CFECAE39BCB34E7D7B236F3877E204B8D0A156DD66F894899177166590CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029587Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:21.970{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029586Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:24.352{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E893B544401FCF5B7BCD4514D0D8292,SHA256=69381555CA830D13B156D6B23BA640F54FA2729B5FCB605207823210F50F30B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048794Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:25.485{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC21DBD117DE5EA4D936DA2A9A89C6A,SHA256=B0747E7C0777D5C624FD3B065204B44F0DFE5079B80DFDA137EB2F8C416572E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029588Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:25.399{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63967DCDB01BE924D374268E3B74201,SHA256=4F612C1F23665EDC43F5520C8C69D93812EE5F6333E2263347E53E689667BB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048795Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:26.503{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E45B13587D41F121555811D9031F91,SHA256=5B58B71F9AA4BE8B22A2A0E58EF3B2CF01FEE89CA5FC48F14FA014E0511D625F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029589Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:26.400{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C190602B42289B79EAAB3A604A0C6088,SHA256=18603C27100F4FCFD4639B08DC22A7B654BE71123089ECB7F79733806B5FE859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048798Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:27.784{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47A618B6083250F1D9607B9053513D09,SHA256=B399D758A1D859B0A166678C1A71DEF75B6D6A0B0EED84955C4E29950D10DBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048797Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:27.784{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0688B2CFF2C9967BF0EE255974C13BA4,SHA256=05EB3BE7269634B22BEDB42D776B3F2BF239B0F46F3562E7026CA36F90AF5B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048796Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:27.521{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A2C6B5054698E84E3F7E7C472C9BE5,SHA256=CC02D23FA883138AEB93FD317FFC2389F018380B68FC364E113D015323AEEAA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029590Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:27.415{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA54877B37BC02FF4B5B4EA282EE4D6,SHA256=783DAB18FFCB3876767509EF85BE58228108491E6BED7159E060DA1B86BA8C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048799Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:28.537{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D0625F0F24C8F0CDB821647DFE7DB5,SHA256=AB3A0CC7F52DBCE6102184578045A4049F351830003E8F5F75C7EDABD9D36534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029592Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:28.431{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88D8BFFC49FDFFBBA1AAC58D2798AAA,SHA256=01A0AE8BBD2ADCEAACD24AD563967EAC31C542A4558CE65FC416D301D8283907,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029591Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:26.986{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029593Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:29.477{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA585C1CCE593118DB40F0D9AD2C532,SHA256=33EA9FE4FA86347856E74F444B4E7F5152AF25CED67BA8F170FAD407862F527B,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000048804Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:03:29.875{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon 10341000x800000000000000048803Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:29.875{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048802Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:29.875{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048801Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:29.875{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048800Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:29.543{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11E85B9A736FC4D5ACAAF8C66E0D02A,SHA256=B75F854A35879853EC972BD9408BC9C363AB7CE93477D06F73670AF51ED1898D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048806Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:30.774{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048805Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:30.543{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023E933F65CC65C80AD7E711115A7B28,SHA256=58BE67DCC760FC7F05235119003FFA48D3F40C5D68AD4C8BB99B8702F0A0A213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029594Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:30.477{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787592E17A850761DCA43A91B7CA7414,SHA256=0B8E8B2D44B4BC8C3C6D69EBCD03F930D9C56D063F35020CA6D86CB631E2A096,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048808Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:28.699{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57458-false10.0.1.12-8000- 23542300x800000000000000048807Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:31.558{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13530EEEB65706CDCCD4240B721910D7,SHA256=0A87989840886B3E1C66496D559E9FCC4A4E624EBADBDDC2376733604BDB1EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029595Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:31.477{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDE022F986D911EA0CD324A696FF937,SHA256=A074EDE1762C252D94A45749CF85FCB45E5ADF4A16EEE528771DD0A5737ABDA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048814Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:30.353{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57459-false10.0.1.12-8089- 12241200x800000000000000048813Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:03:32.873{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword 10341000x800000000000000048812Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:32.873{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048811Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:32.873{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048810Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:32.873{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048809Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:32.573{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C079427FA1EA41797A302AD3D0625A,SHA256=BAD917CAD0A60E511CD715E5AAE8D8004630B8C778DF88F749A074B94229AD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029596Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:32.509{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EC8C24E91786F6F5A9C8B72689C5C9,SHA256=438C5AA2ECE3467349F1FEABCD0646309DAEF0673F1AD5D2DFF62F8ADC337440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029597Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:33.540{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB23C07ED9036D3BA3575CBEF8AA382C,SHA256=2EC75DF3143A62619E13E057E88A233B27F577D81F787B656D88045EB21A2010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048815Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:33.584{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6868FB5B5EA9178AFA950B849BC106,SHA256=F332C82CBE82FF8DDBDB3A5725966113F81BC0455FBFBCD949108A4FCBE8EA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048816Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:34.586{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8086ABDED2B07109B3CE0369B88EF590,SHA256=CF31FB91F836B1D4C8FECB9BDB943645D03EE6177B49D08853AC3B26F5E7B06C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029599Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:32.111{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029598Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:34.556{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52F1188B9BA769B0E148915CFE0B9CD,SHA256=D0619EEBF04D9F0220EA14EBD61DF865FDD99A11A9708DB4905B48010140AF34,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000048821Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:03:35.801{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName 10341000x800000000000000048820Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:35.801{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048819Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:35.801{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048818Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:35.801{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048817Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:35.601{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F493630E9FDCCF8BC16239289CDC457,SHA256=1AB4F03D2FC1C80BD798B19867FC5C29BB216B50DE9BA4E46C9DCD6E94523B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029600Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:35.571{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBB45D1131AAD27EF6327865B84AB7E,SHA256=216979C64B02A0A68C73FA01CD60398D353142DA4E043EBF8FEC75BFF0295A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048830Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:36.602{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A0475D3AD5498D0B56079734711C9F,SHA256=DB690692793B90CD176F56E1960DD2D649EB655BA7F81787D22D78DEAC164FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029601Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:36.602{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209362C6283747089257DE0023CE4A06,SHA256=C83723B9BD64FEF5AA71042E4D49AB36EA263D00906DBA7C4572830F44D7C48F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048829Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:36.440{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048828Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:36.440{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048827Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:36.440{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048826Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:36.440{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048825Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:36.440{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048824Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:36.440{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048823Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:36.440{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1EFC-6136-6709-00000000F001}2004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048822Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:36.419{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=59FE813667E9B5DBA877A94695CC7E85,SHA256=C00D535E83856F49B0DAE067F8E14981259A914E0A05E3A645F746B3B74E6E9E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048853Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:37.928{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=DBC581B8781C7283AC913B343F0D49CFDF64E92651D5AF073FDC844C603C51EC 13241300x800000000000000048852Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:37.928{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x800000000000000048851Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local2021-09-06 14:03:37.928C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=DBC581B8781C7283AC913B343F0D49CFDF64E92651D5AF073FDC844C603C51EC 13241300x800000000000000048850Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:37.905{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000048849Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:37.905{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000048848Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:37.905{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000048847Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:37.905{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000048846Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:37.905{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000048845Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:03:37.905{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000048844Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:03:37.905{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000048843Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:03:37.905{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000048842Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:03:37.905{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000048841Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-DeleteValue2021-09-06 14:03:37.905{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000048840Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:37.804{323FE7D8-1EFC-6136-6709-00000000F001}20041936C:\Windows\system32\conhost.exe{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048839Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:37.788{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048838Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:37.788{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048837Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:37.788{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048836Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:37.788{323FE7D8-022E-6136-0C00-00000000F001}8484684C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048835Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:37.788{323FE7D8-0537-6136-5702-00000000F001}27563676C:\Windows\system32\csrss.exe{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048834Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:37.788{323FE7D8-1EFC-6136-6609-00000000F001}62925640C:\Windows\system32\cmd.exe{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048833Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:37.802{323FE7D8-1FB9-6136-8609-00000000F001}5912C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{323FE7D8-1EFC-6136-6609-00000000F001}6292C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000048832Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:37.604{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAE06CDE2A6D35B8C230D39BB7F629E,SHA256=ABD6CCF99F22AFF2E90A427100AF5FA4C5215A38EC2268DD9A2D99C377E3C743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029602Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:37.618{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CAC28A8B3287B79053621027546B7B,SHA256=042EF56635A8CAF062FB72433575B6E6C871D51A37255342B36D24504827F015,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048831Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:34.649{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57460-false10.0.1.12-8000- 23542300x800000000000000048856Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:38.792{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DA83D759790B3EB07D7ABDDB7AD3D23,SHA256=996C2E566DB5EA610481C39364C97FF28A34C82BFFAE8BD4CF2A3E24C94D2292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048855Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:38.792{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47A618B6083250F1D9607B9053513D09,SHA256=B399D758A1D859B0A166678C1A71DEF75B6D6A0B0EED84955C4E29950D10DBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048854Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:38.608{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50AF343599DFF474FDB50131D90D3AC5,SHA256=C1C0330AADF48D4F67B51E7180551C40E3BCEE0C96DA2DE34AB71A04B6203DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029603Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:38.634{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193FC17478DCC401D30F2F88FE6660CD,SHA256=6B346D1BF731E1FB4281E099727762EF8C5AFEC90CEB066ABBFA30D3096B4CD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029605Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:37.939{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029604Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:39.634{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40689C843768C258A7CE0AFD5C47B87B,SHA256=CA01C69981288D9D2F96C3407746666AB877F7FA793243E97EE34B5405391E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048857Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:39.608{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F9AD14B395C9B43C663B280662FB93,SHA256=E2C08E0BF1AAA6562103BE15EA8BFAABFAA1A0F66D081903A4324400A1F6A313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048858Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:40.610{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9529865FA944DB1F43AE3C98D92F1C33,SHA256=C94BEE9400601B82A3377D7BF5D1755DB1ED17529C1EFDCE116E7303E430011C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029606Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:40.680{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186A5A53F8DE47E3B2EFCC4A133F9C3D,SHA256=0F734817F07D3759247679D46353E6187BF1D3ABA11AE7AF6B04B5C4B5C4D998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029607Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:41.695{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5350B5177765D7784A5836A3979221B0,SHA256=7743CAFCB84FC2C9B06CCD2E992D0EC656C4103798CAF480BA205DBD5ADA1DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048859Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:41.612{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C26395892C99974A408408F8093258B,SHA256=9882A685C4BDB82F60EEADCF191AE1FBC913611097B7256263B9194762CEBBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029608Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:42.695{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD0663EC26253887727D1AE1DCE3A29,SHA256=5C8CB6684AF79112BD460CE5961D7AB0E17ABB1472FB069DFC0DCBC2F91126CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048860Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:42.630{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EF6C3CFD1E30FC92DAC0D641363011,SHA256=7C958C6EE13FCF39DF29DFA5A7D4E42D15F309C140BA8739E126DFDCD5BA3269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029609Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:43.758{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE9C38C15E26EE074B38B4EC12B1196,SHA256=978A5C27E6732229ED490EAAC29A34F6F0E2BE76691349B81833E595FD8AE04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048862Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:43.650{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F046A1C1D7CC5360177C58350933667,SHA256=7022A64AF030EB8549CAFD1A714D5F8E63EF63CD1716DA38225B51E07E1C8109,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048861Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:40.642{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57461-false10.0.1.12-8000- 23542300x800000000000000029610Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:44.773{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6499AA693C7C727E7C7B924EADD516FA,SHA256=B4C0B16792629FE6FD11BE1D0D6F95C33BFEE22C25AA668CDD21E467B62B318F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048863Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:44.696{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E389186E5A87F30F72BDBD3224083A0,SHA256=B805E2FAD01F2F8EE693F73CA723B79DC5DD99223CA4101554911DF2A1C144CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029612Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:43.922{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029611Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:45.789{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC7B46318E4AF6D48B1DD23B56E4820,SHA256=E06595DAE1BC4E055FB5BAA6A41723D36ACB0BC5FC04E45A61FB351A1D4FE6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048864Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:45.711{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E69362731C029407C1FFEBCC70059F,SHA256=FB3F85A40002AC5C40C000EC9DA3B1AD524EBA3D868EA2A2D6058F0B28ED7F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029613Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:46.805{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3431C499D46A39311F030EE6868CD97F,SHA256=1749885141A9BC7C2857A883EC9A4B9C5804BED30E89CC6CA2275FAB2EA89526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048924Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.981{323FE7D8-053B-6136-6E02-00000000F001}44404024C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048923Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.981{323FE7D8-053B-6136-6E02-00000000F001}44404024C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048922Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.981{323FE7D8-053B-6136-6E02-00000000F001}44404024C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048921Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.981{323FE7D8-053B-6136-6E02-00000000F001}44404024C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048920Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.950{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8809-00000000F001}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048919Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.950{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8809-00000000F001}4052C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048918Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.950{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8809-00000000F001}4052C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048917Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.950{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8809-00000000F001}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048916Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.930{323FE7D8-022F-6136-1600-00000000F001}13081976C:\Windows\system32\svchost.exe{323FE7D8-1FC2-6136-8809-00000000F001}4052C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048915Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.930{323FE7D8-022F-6136-1600-00000000F001}13081348C:\Windows\system32\svchost.exe{323FE7D8-1FC2-6136-8809-00000000F001}4052C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048914Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.911{323FE7D8-1FC2-6136-8809-00000000F001}40526368C:\Windows\system32\conhost.exe{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048913Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.848{323FE7D8-0537-6136-5702-00000000F001}27564164C:\Windows\system32\csrss.exe{323FE7D8-1FC2-6136-8809-00000000F001}4052C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048912Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.832{323FE7D8-022E-6136-1200-00000000F001}7683608C:\Windows\System32\svchost.exe{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048911Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.832{323FE7D8-022E-6136-1200-00000000F001}7683608C:\Windows\System32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048910Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.832{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048909Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.832{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048908Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.832{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048907Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.832{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048906Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.832{323FE7D8-0537-6136-5702-00000000F001}27563676C:\Windows\system32\csrss.exe{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048905Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.832{323FE7D8-053B-6136-6E02-00000000F001}44403540C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048904Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.843{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" "C:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000048903Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.433{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048902Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.432{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048901Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.432{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048900Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.432{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048899Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.432{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048898Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.432{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048897Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.431{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048896Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.431{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048895Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.431{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048894Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.431{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048893Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.431{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048892Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.431{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048891Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.430{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048890Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.430{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048889Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.430{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048888Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.430{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048887Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.429{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048886Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.429{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048885Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.429{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048884Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.429{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048883Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.429{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048882Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.429{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048881Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.429{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048880Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.429{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048879Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.429{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048878Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.429{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048877Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.428{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048876Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.428{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048875Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.428{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048874Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.428{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048873Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.428{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048872Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.428{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048871Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.428{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048870Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.428{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048869Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.428{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048868Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.427{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048867Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.427{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048866Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.427{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048865Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:46.427{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048932Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:47.843{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F219C27B13FA17B3901D73C3964F5B1E,SHA256=52764C8A94B6BF3B290DF3E4737B2AE78D22C2B732549B89CAC6AD232CEFE60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048931Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:47.842{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DA83D759790B3EB07D7ABDDB7AD3D23,SHA256=996C2E566DB5EA610481C39364C97FF28A34C82BFFAE8BD4CF2A3E24C94D2292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029614Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:47.820{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FA15B9A49272C03BC56A32C8A315B1,SHA256=2812B7148265EF57EBA39B8F3ED8516E415EBA62B59316B5D9F07BC00D05C900,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048930Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:47.087{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048929Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:47.087{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048928Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:47.087{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048927Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:47.040{323FE7D8-053A-6136-6802-00000000F001}51044592C:\Windows\system32\taskhostw.exe{323FE7D8-1FC2-6136-8809-00000000F001}4052C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048926Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:47.032{323FE7D8-053A-6136-6802-00000000F001}51044592C:\Windows\system32\taskhostw.exe{323FE7D8-1FC2-6136-8809-00000000F001}4052C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048925Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:47.029{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E87911FA2A1EB0A6473B40A8B3E6FA7,SHA256=40C23FBEE678F8E9F56E502209B0A80E5566B7928FADE0D966080F79BC1BFFA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029615Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:48.837{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442BE1ADC8E071DAA803E044F3B440F3,SHA256=492CA6DEA8BD1AB9E46B28808A8345BADF36603480CDA756A0882FFD6B8AE4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048935Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:48.860{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA2B3D5C833E7EE201E7F4058109819,SHA256=FFD55EE4C2F9FC2412C4FB71BE55C3222ED9086791A489D591808BF38017F429,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048934Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:45.674{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57462-false10.0.1.12-8000- 23542300x800000000000000048933Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:48.176{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB5A85ECB1C3FECDF5FB2A58C1A75A5,SHA256=247B3FB95055E08C05B7D0AF34FF3B5AF39DB1A80A1682ECC091CFBF3D7DD444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029617Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:49.852{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB8D30BC61FCD11D2B4510AF6C201E7,SHA256=9B7737D83B2ACA53CBBF4A5EFC459A84081D0FBD7F11FAFD40A1E7E16FACE57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048936Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:49.875{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0135BAF963DC9A9FCE61BD5D329E5F7,SHA256=8E4365EE3BAC8473B585CB2DD1A3713BE453ED3B8AD063C610B02CD6A66D93C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029616Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:49.214{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-114MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029619Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:50.868{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8796E844C69608D234537A01F6E96825,SHA256=6388F2484F999E9215B3297E98718D1352BDEA86A4E526C2B0B87CC05923B1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029618Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:50.229{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048979Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.622{323FE7D8-1FC2-6136-8809-00000000F001}40526368C:\Windows\system32\conhost.exe{323FE7D8-1FC6-6136-8D09-00000000F001}2576C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048978Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.591{323FE7D8-0537-6136-5702-00000000F001}27566472C:\Windows\system32\csrss.exe{323FE7D8-1FC6-6136-8D09-00000000F001}2576C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048977Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.591{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048976Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.591{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048975Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.591{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048974Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.591{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048973Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.591{323FE7D8-1FC2-6136-8709-00000000F001}37166420C:\Windows\system32\cmd.exe{323FE7D8-1FC6-6136-8D09-00000000F001}2576C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048972Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.598{323FE7D8-1FC6-6136-8D09-00000000F001}2576C:\Windows\System32\bcdedit.exe10.0.14393.4583 (rs1_release.210730-1850)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /deletevalue {current} safebootC:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=18A7F41EC0239BFA02C9B3903356377E,SHA256=DC21C5A8BCAA1EDA369801A297FFB1AB6AC73887F676E25A71140BDDC5553462,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 10341000x800000000000000048971Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.559{323FE7D8-1FC2-6136-8809-00000000F001}40526368C:\Windows\system32\conhost.exe{323FE7D8-1FC6-6136-8C09-00000000F001}3444C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048970Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.544{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048969Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.544{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048968Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.544{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048967Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.544{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048966Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.544{323FE7D8-0537-6136-5702-00000000F001}27564164C:\Windows\system32\csrss.exe{323FE7D8-1FC6-6136-8C09-00000000F001}3444C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048965Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.544{323FE7D8-1FC2-6136-8709-00000000F001}37166420C:\Windows\system32\cmd.exe{323FE7D8-1FC6-6136-8C09-00000000F001}3444C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048964Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.549{323FE7D8-1FC6-6136-8C09-00000000F001}3444C:\Windows\System32\bcdedit.exe10.0.14393.4583 (rs1_release.210730-1850)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {current} safeboot networkC:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=18A7F41EC0239BFA02C9B3903356377E,SHA256=DC21C5A8BCAA1EDA369801A297FFB1AB6AC73887F676E25A71140BDDC5553462,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x800000000000000048963Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:50.538{323FE7D8-1FC6-6136-8B09-00000000F001}3384C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon1 10341000x800000000000000048962Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.506{323FE7D8-1FC2-6136-8809-00000000F001}40526368C:\Windows\system32\conhost.exe{323FE7D8-1FC6-6136-8B09-00000000F001}3384C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048961Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.490{323FE7D8-0537-6136-5702-00000000F001}27566472C:\Windows\system32\csrss.exe{323FE7D8-1FC6-6136-8B09-00000000F001}3384C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048960Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.490{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048959Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.490{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048958Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.490{323FE7D8-1FC2-6136-8709-00000000F001}37166420C:\Windows\system32\cmd.exe{323FE7D8-1FC6-6136-8B09-00000000F001}3384C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048957Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.490{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048956Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.490{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048955Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.494{323FE7D8-1FC6-6136-8B09-00000000F001}3384C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /fC:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x800000000000000048954Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:50.475{323FE7D8-1FC6-6136-8A09-00000000F001}4188C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword12345 10341000x800000000000000048953Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.460{323FE7D8-1FC2-6136-8809-00000000F001}40526368C:\Windows\system32\conhost.exe{323FE7D8-1FC6-6136-8A09-00000000F001}4188C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048952Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.443{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048951Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.443{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048950Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.443{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048949Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.443{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048948Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.443{323FE7D8-0537-6136-5702-00000000F001}27563676C:\Windows\system32\csrss.exe{323FE7D8-1FC6-6136-8A09-00000000F001}4188C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048947Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.443{323FE7D8-1FC2-6136-8709-00000000F001}37166420C:\Windows\system32\cmd.exe{323FE7D8-1FC6-6136-8A09-00000000F001}4188C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048946Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.449{323FE7D8-1FC6-6136-8A09-00000000F001}4188C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d 12345 /fC:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 13241300x800000000000000048945Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:03:50.422{323FE7D8-1FC6-6136-8909-00000000F001}2296C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserNameadministrator 10341000x800000000000000048944Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.422{323FE7D8-1FC2-6136-8809-00000000F001}40526368C:\Windows\system32\conhost.exe{323FE7D8-1FC6-6136-8909-00000000F001}2296C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048943Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.390{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048942Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.390{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048941Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.390{323FE7D8-0537-6136-5702-00000000F001}27566472C:\Windows\system32\csrss.exe{323FE7D8-1FC6-6136-8909-00000000F001}2296C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048940Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.390{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048939Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.390{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048938Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.390{323FE7D8-1FC2-6136-8709-00000000F001}37166420C:\Windows\system32\cmd.exe{323FE7D8-1FC6-6136-8909-00000000F001}2296C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048937Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.398{323FE7D8-1FC6-6136-8909-00000000F001}2296C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d administrator /fC:\Temp\ATTACKRANGE\Administrator{323FE7D8-0539-6136-E7C9-190000000000}0x19c9e72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{323FE7D8-1FC2-6136-8709-00000000F001}3716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 23542300x800000000000000029622Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:51.884{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87869D6236D32BC6ED08E7B1E5C34318,SHA256=5F887927B92C2E21F7E6DE94A8EC3CD346CB267EF7453CF6A28C0BAD92C66219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029621Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:51.743{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=475F1DBC35EA9499E9B541EF3950A7F3,SHA256=410D5987D984D8BE32E5D0093FDFC9CD6455C8CD298B5E2E7FF33C6A37BF0D92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029620Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:49.002{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048981Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:51.391{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F219C27B13FA17B3901D73C3964F5B1E,SHA256=52764C8A94B6BF3B290DF3E4737B2AE78D22C2B732549B89CAC6AD232CEFE60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048980Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:51.007{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF327E8869766600D9B86885B8CCF0C0,SHA256=59FD0ADB508E3E3D3DA0B6C0F1F91994DCC740B90D04EA1DBC188F0EEAB8DD8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029623Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:52.884{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6064D8942572A04BFCDEE21C2BD3EB2,SHA256=7D6EA2887475BD3E68920E4C7BD7512CE03D685902F08C90B40E1F51F0BDA3DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048989Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:52.606{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048988Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:52.606{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048987Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:52.606{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048986Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:52.606{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048985Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:52.606{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048984Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:52.606{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048983Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:52.606{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0A16-6136-E106-00000000F001}4448C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048982Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:52.022{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9049E9EA42ADEB5A3B70E581FF7D09B3,SHA256=714A8FD3BCE2FD7A36AAA69F267883CADE003661019B5595AB76F40BFAEF57B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029624Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:53.899{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24BCE3B72CD5DCE2981EC16510D886E,SHA256=E9B3DAE411D80D13CFB1D7F28BA154558EA5FD978A510E400E49ACDE24A25D41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048991Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:50.701{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57463-false10.0.1.12-8000- 23542300x800000000000000048990Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:53.044{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8741B3C20C70C8A075051FB88567FCC7,SHA256=45EEB7F740437980AC474A19769148DB83B83A112246F0CCC1713300AF5F5E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029625Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:54.899{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D81DBD425556440A9ED6FCA3DC331C8,SHA256=4805256A93EB5239EFBCFC993FC47C01C5D8C10E4CE47D582AA3592C622DC7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048992Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:54.059{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E82FFFA83C1734385DE8E74B262F86E,SHA256=B93DE15EE7AC167D04A9E85543ED0122E42129FF6965ADB614341DE58BDA5187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029626Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:55.915{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799BF9C1C2055E81799E947C206D3843,SHA256=8F3C8BD8807DFAD4902AC4BB8DB01D8C4913699B6BD066D60B0D8372BE6EF4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048993Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:55.079{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D88283BC593E3DE49491E764DACFB7A,SHA256=1587106AE97128BDA0A36381AB50186A758A34399923346E73B5EB8FC05E94E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029627Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:56.930{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C562A371676F5346D554FD4EC6E3FE29,SHA256=5F60269B8D2A5A9F97FFD9ADFE69B893B97F54609E026011DD8ACFEC7645A85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048994Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:56.080{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085A00B3F88F6B9FBCF60F52FE33B6E8,SHA256=41015444E2605F35E8169F632BA8EBD7E7DBEAF69EB3B3663F81F29D59C2975F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029629Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:57.930{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33399C70749C5779BC1A68F42B637E2B,SHA256=F756EF27C2676C5DFE5B71DEAF7FE1BCFA53A61BA2F68F62A4F6BB3801352FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048995Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:57.095{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DAE550A6439D159850417AD65696CE,SHA256=8772930C57DB093EB3AD0CAD035CAA59F6E2DD27035EA12AD2B4176D5B5C0AAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029628Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:54.908{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029630Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:58.930{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3FE806AC4473D153983B7CC377D790,SHA256=8FBABD9306C4FBC32763E26C09BA98132D2E122C46069F252DB2A2D6646A5B03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048997Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:55.758{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57464-false10.0.1.12-8000- 23542300x800000000000000048996Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:58.125{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DF77DE39AF56D3B478AD509D7B48F8,SHA256=970338AC48FD6B376B47F1086106553B51BC0B58656673D83693773B64C50B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029631Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:03:59.934{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0050B2BF527A1C53A0202988EC84B328,SHA256=B7249B1602EF76EB3D145A6C6FB4671683A00B9497E389CAAF994D7006847B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048998Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:03:59.143{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFEC83C9D5C1BEDE164B7AE2B9F1622,SHA256=9555DB8B289D2200CBC12F3F27C6493B6FE56D34667C1FAA2A6CDB0F742E4A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029632Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:00.949{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A24CC84337267A834A1FBDA0C947655,SHA256=8E00FC276C247FD5CDC88C5CB53711F850A90625B4CD3103D0516F4C5BB3E5B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049008Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.492{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=A88FFBE4C4D58E8881CF76B6011FF191,SHA256=4862F75C62391C13958C7216DA83B49E8376E64FB819EFBCD0845BC013BC741C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049007Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.492{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=29972320AFC5A861BB2C1EB842FE4D8E,SHA256=9C11171A7213774A3E72C421B694087A78C99995595B814BDEB8576563AB1E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049006Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.492{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=737663FBA9AD918060AF701E2C0EEC84,SHA256=FD4BC9A2335B46FD788C83632A8609A1F3E84E3C494A7A0F5791B875E939595E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049005Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.492{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=4B3B47BDCDE2FA5B23FE230CB2040052,SHA256=B654AC0EF67978274EDF26873A9261B9C96B2ACF958CB4E7D0C8789E8FA9A37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049004Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.492{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D7AD818DCB07A284407A5B376A109B89,SHA256=C0EA84AD758764F15B40E3E1D92C655B424D8950BD229619E865CE7935150663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049003Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.492{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=CBF69B0F850233A926C5A096A44A67C3,SHA256=464B874349E0EBA69C76A08D286AAB48D550905FB84691C863B7331C2679612E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049002Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.492{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=F22F5966303C10F30A4EE80301A15640,SHA256=69960849F0B429458A24C7EE0CF94FABB120BF92D86C1F9594D424F529B9FD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049001Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.492{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=E2CA54255264C6466510B2AC3BAA0C22,SHA256=2E57A260DA8FF0FCA007BCEB259EFEBE3232751CA6A5288032530EE89EC8CCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049000Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.492{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=6A024E8FBA80048C18543BE2C3AA8E72,SHA256=B1F91186083E78D0C2ED8A198432475954F6C609A288859FEBE7C96D9B6D2ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048999Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.177{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDF9DBD75B93DAB5D0D697B471EAA31,SHA256=4C37D483DF2C6E21CC23C99F3D9B421CE553F3BB051CC4AA0436B2F9A9A71583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029633Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:01.965{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFAF8AE4590CDA7E245BACE06470CD03,SHA256=645E84FEAC9D041D93E91FC224623F879B2DD59A60B5DF0C2CCF98622C471DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049010Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:01.192{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC23247B0AA0D2A40BBA7426C32F7F6,SHA256=13F1814EAB0B501D9DCCFF360D0C7248A5F78C5F52A42137DD7E3A9D6310A657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049009Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:01.010{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-122MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029634Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:02.965{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4373F3D8502BC0FC3D6E8F5F74ECA689,SHA256=F3BAE296B1DADBB18A83339CEC230507F7D9ABFF2A62A6F058F378963D787A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049012Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:02.193{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B6A78B72D251445311140D5B74117E,SHA256=47494FBAB6B73D5221003DB38B78BA662F29208EEB1898715B9518C3304C0F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049011Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:02.010{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-123MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029636Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:03.965{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E9FD5597D90DDD779763005A012E4F,SHA256=C2B601B923BCEE06A9322F52C36473A75544B22042869CDC89E7442F92CBB661,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049014Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:00.786{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57465-false10.0.1.12-8000- 23542300x800000000000000049013Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:03.194{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615042E4B3948A6FFCCF94B808441A16,SHA256=36134F0490469FF5CDA8B488FE062F356FF6ACAA201D77D3A0F73FE39AEE11EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029635Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:00.942{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000049032Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.854{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1FD4-6136-8F09-00000000F001}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049031Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.854{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049030Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.854{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049029Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.854{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049028Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.854{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049027Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.854{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1FD4-6136-8F09-00000000F001}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049026Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.854{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1FD4-6136-8F09-00000000F001}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049025Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.855{323FE7D8-1FD4-6136-8F09-00000000F001}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049024Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.591{323FE7D8-1FD4-6136-8E09-00000000F001}13324996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049023Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.278{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1FD4-6136-8E09-00000000F001}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049022Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.278{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049021Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.278{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049020Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.278{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049019Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.278{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049018Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.278{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1FD4-6136-8E09-00000000F001}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049017Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.278{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1FD4-6136-8E09-00000000F001}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049016Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.279{323FE7D8-1FD4-6136-8E09-00000000F001}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049015Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:04.209{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5855EBF3C08353DF694A01F3CAE70036,SHA256=1FC0D7528583371F7B8F1606BECD5A69AA0DD2581E85BC0B50F7DEC3D1EC596C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029649Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1FD4-6136-F206-00000000F101}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029648Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029647Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029646Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029645Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029644Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029643Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029642Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029641Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029640Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029639Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1FD4-6136-F206-00000000F101}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029638Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.418{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1FD4-6136-F206-00000000F101}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029637Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.419{FFF7FB96-1FD4-6136-F206-00000000F101}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049043Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.522{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1FD5-6136-9009-00000000F001}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049042Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.522{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049041Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.522{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049040Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.522{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049039Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.522{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049038Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.522{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1FD5-6136-9009-00000000F001}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049037Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.522{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1FD5-6136-9009-00000000F001}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049036Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.523{323FE7D8-1FD5-6136-9009-00000000F001}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049035Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.285{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBBCF3F6F8F1060C016F22DDBCD2D63E,SHA256=4580266A79C66180088F881E223EEC3C933BB898EB1F325D900024C48EBEEB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049034Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.285{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C342056DE5C6DE2E13D86292296255E9,SHA256=7D4C2F02F81E8FD0F305929564800F4EEBA14681327F224819DFF226DECCD7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049033Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.222{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF2A5016CC64F33063CA5821346C521,SHA256=A09AE6899764EC91BB37F21B292E9461A65EE3C248CE1F8B9D3FBF8F25C0B922,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029679Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1FD5-6136-F406-00000000F101}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029678Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029677Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029676Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029675Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029674Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029673Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029672Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029671Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029670Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029669Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1FD5-6136-F406-00000000F101}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029668Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.699{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1FD5-6136-F406-00000000F101}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029667Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.700{FFF7FB96-1FD5-6136-F406-00000000F101}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029666Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.652{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=361CE6CE435723CB22883C70EBF61FF0,SHA256=3409DEDDDD96DFFBD8E4125912A1E73AF2B56AFDE6B8B655A874447D487F3403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029665Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.652{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=599F4D418DE6D8086FDEBE6F557F942F,SHA256=EC3106D8E35443150990BC30C210F7273E27418D34B8D90A65F42972DCBA8F6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029664Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.231{FFF7FB96-1FD5-6136-F306-00000000F101}2228936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029663Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1FD5-6136-F306-00000000F101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029662Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029661Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029660Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029659Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029658Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029657Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029656Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029655Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029654Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029653Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1FD5-6136-F306-00000000F101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029652Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.059{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1FD5-6136-F306-00000000F101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029651Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:05.060{FFF7FB96-1FD5-6136-F306-00000000F101}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029650Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:04.996{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C106991707A843764D667395D7E2D8,SHA256=B6712667B6D1AB20CC1BCCF04EB9B49CE90976EDFB15BF3EB1CBD21CC84CFF73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049045Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:06.537{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBBCF3F6F8F1060C016F22DDBCD2D63E,SHA256=4580266A79C66180088F881E223EEC3C933BB898EB1F325D900024C48EBEEB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049044Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:06.237{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C2837C7BEDB364992266718DE3C1EB,SHA256=D79739352744AE163EDA0C6F05D9551A5E20953F740CDC16BF0C21AF66569C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029685Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:06.715{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=361CE6CE435723CB22883C70EBF61FF0,SHA256=3409DEDDDD96DFFBD8E4125912A1E73AF2B56AFDE6B8B655A874447D487F3403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029684Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:06.215{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029683Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:06.199{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=555C74D64C5D457A3CE9C4D113A7BE09,SHA256=01451346E4CD1910C03BE75C374A2842992BF5B8DF9866C54884425575822EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029682Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:06.199{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=B844ACBEB080E6EFBFB57A40933420BD,SHA256=8B8018110F24DCE2970B358CDAAE4FD74548A372DC93F2E86414A2535D667EC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029681Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:06.199{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=D1068DF1AA385C555CC2C8AE4CB78E54,SHA256=0830B9AB8B6DC66725D65420689F683F8D12720FB0A3AEDCEE5AACEC6B150402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029680Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:06.043{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809CEA944CC3201565528B84DB5EE48D,SHA256=6A3FB4B554DC09B14B581EFB8F83076B34DF7E9AF72C889B1C235C29C0064210,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049054Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:07.683{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1FD7-6136-9109-00000000F001}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049053Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:07.683{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049052Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:07.683{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049051Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:07.683{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049050Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:07.683{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049049Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:07.683{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1FD7-6136-9109-00000000F001}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049048Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:07.683{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1FD7-6136-9109-00000000F001}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049047Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:07.684{323FE7D8-1FD7-6136-9109-00000000F001}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049046Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:07.252{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292A95FA66B577E9CD2A68C18763CBCC,SHA256=7551BFD90E8DBB91B3CC696C6C72A7F8A53AFB86D2D32888C76BC686AF93FFE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029716Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.871{FFF7FB96-1FD7-6136-F606-00000000F101}28243460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000029715Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:06.053{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000029714Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:06.036{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029713Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1FD7-6136-F606-00000000F101}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029712Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029711Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029710Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029709Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029708Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029707Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029706Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029705Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029704Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029703Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1FD7-6136-F606-00000000F101}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029702Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.684{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1FD7-6136-F606-00000000F101}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029701Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.685{FFF7FB96-1FD7-6136-F606-00000000F101}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029700Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.403{FFF7FB96-1FD7-6136-F506-00000000F101}3603284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029699Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1FD7-6136-F506-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029698Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029697Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029696Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029695Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029694Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029693Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029692Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029691Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1FD7-6136-F506-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029690Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029689Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029688Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.184{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1FD7-6136-F506-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029687Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.185{FFF7FB96-1FD7-6136-F506-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029686Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:07.090{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F1294DC6CDC9E8C501F8EA443D04F2,SHA256=F034AA1DE3501230494C8CC7573243AAA508C9444BC771526FEE05C7E9AC08B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029744Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1FD8-6136-F806-00000000F101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029743Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029742Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029741Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029740Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029739Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029738Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029737Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029736Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029735Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029734Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1FD8-6136-F806-00000000F101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029733Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.840{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1FD8-6136-F806-00000000F101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029732Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.846{FFF7FB96-1FD8-6136-F806-00000000F101}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029731Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1FD8-6136-F706-00000000F101}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029730Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029729Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029728Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029727Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029726Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029725Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029724Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029723Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029722Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029721Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1FD8-6136-F706-00000000F101}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029720Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1FD8-6136-F706-00000000F101}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029719Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.342{FFF7FB96-1FD8-6136-F706-00000000F101}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029718Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177586CDB213C933D18E92E6E7C3C0C3,SHA256=EBCC73FDDF771696E63CFE3C21F0B2EC26F59397C7E343D56EB2CFCDB404DE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029717Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:08.340{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=654F17FBA9203FD912ED80C99C1415D7,SHA256=147B10E47846C7DE30CB9B6697E75426F828CF306E87A49D78264EC3F7FFE883,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049077Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.798{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1FD8-6136-9309-00000000F001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049076Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.798{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049075Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.798{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049074Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.798{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049073Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.798{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049072Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.798{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1FD8-6136-9309-00000000F001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049071Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.798{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1FD8-6136-9309-00000000F001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049070Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.799{323FE7D8-1FD8-6136-9309-00000000F001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049069Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.714{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC5F6D92590C77CD52C57FE5FCD206CA,SHA256=FAF14D8C7E8D5483E9D009773B0990A680AD1FFFD535C41DB95D0CBA821CE71F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049068Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.416{323FE7D8-1FD8-6136-9209-00000000F001}58923192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049067Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:06.662{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57467-false10.0.1.12-8000- 354300x800000000000000049066Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.432{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57466-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000049065Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:05.432{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57466-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000049064Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.299{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F444420588FE8FE0625711CB52454D4B,SHA256=080A1D9ACEAAF8A805BA62BF9BDC9DF2031E9DFCE129277061E6DFE163E6D3D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049063Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.198{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1FD8-6136-9209-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049062Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.198{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049061Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.198{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049060Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.198{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049059Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.198{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049058Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.198{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1FD8-6136-9209-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049057Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.198{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1FD8-6136-9209-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049056Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.199{323FE7D8-1FD8-6136-9209-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049055Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:08.054{323FE7D8-1FD7-6136-9109-00000000F001}38766336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029747Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:09.465{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8650E4EE33872A850EFFE72360F02C65,SHA256=9810E790CEEE9C0120A5D801A37CBE992F0A22AAE35AA57216DD4D4EB9A82F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029746Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:09.465{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA4A107782BDE2F9C33EB34CD035074E,SHA256=77AAA9D9E8D2FA576D12E93A38ACDE607F9A80D5DC8C8F15DE4161276646BE15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049088Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.804{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6533AFBE7B1DDD793F4292A436B87D9F,SHA256=FBC42AAA8883BADA95F53D8931ABD737A8D3C2987D362B75A98BD6400688EE1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049087Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.388{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1FD9-6136-9409-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049086Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.385{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049085Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.385{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049084Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.385{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049083Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.384{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049082Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.384{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1FD9-6136-9409-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049081Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.384{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1FD9-6136-9409-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049080Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.383{323FE7D8-1FD9-6136-9409-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049079Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.303{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E7DAE3D794F332D6906FBE33A7CB19,SHA256=14593084377B57599534A7369773B47E436BB16C7EE086B2BAEC3C3859A179A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029745Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:09.027{FFF7FB96-1FD8-6136-F806-00000000F101}30803764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049078Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:09.087{323FE7D8-1FD8-6136-9309-00000000F001}39965652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029748Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:10.496{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6910B3A8868AE8082471883A3C6B32ED,SHA256=6AD468E63F287E4D6EC91FF5AE26DE34612058FEC9E8C38A498CCE907AD87DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049089Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:10.304{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973D178E738FC1AC418BEA1FAD4C75DE,SHA256=04C3D47BB6F522F88F7DCF8ED5E198C2C6577FC0A2E09E2D6C1391D918C96B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029749Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:11.496{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46AB7A0C8D866C79B918084996D73376,SHA256=07F0FB10F23103F300996FBD3D59AF28A4A053A693F4AC525C8CF858A5B0B68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049090Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:11.319{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715B346603BEC1E6EF6F6DB05CC78F8B,SHA256=7C0DBBE1D4D185278B95193F80866F275CDF621979747D9D827319B3727C4AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029750Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:12.527{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1529E61A7D74E8B08B329E1885058636,SHA256=C8FFBB6B78EE69A8329BEBE1E4660F983DC935C15F1977215A075FB478A39F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049091Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:12.334{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FCFC7E2DF6A428A14B253E4744F8BE,SHA256=DF5F9B030679DD1A3C3D77B0998A7A4D72B58EB312771F0B17AF145476C2D893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049092Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:13.364{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578007E1F4182B65F870F9AC782A1019,SHA256=EE1353F49419D3594B316FE073497837B456CE0CBB631D5CAEF26BAE1F85AE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029751Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:13.543{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05EADD11278A4BA41622FBF21930883,SHA256=B7362FBD777DFE2F2767738EC86FD4BD99DBF68E737AAB4E4E8D3B7A9BA2B03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049093Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:14.385{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D892B2FE495F6EFD6342B506217A03BF,SHA256=020CFA66146DCFF92C8FAB00995876CE7F1A109602A5A5F33BB03D3E054C6BE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029753Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:11.989{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029752Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:14.590{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE02B0B918355A3A4DE415AA727816E,SHA256=4D86309F0488682A7F9D30D05C390A98C095D084BA6A2791B63EB83915481877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029754Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:15.621{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F168CC5343EFE62A38BD7874CC3FF3,SHA256=AF4BC896BB5F6B88EE7F9D5FA342B3D8710F16A3230DFBF3A2A715A42058E301,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049104Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:12.627{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57468-false10.0.1.12-8000- 23542300x800000000000000049103Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:15.547{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=A3FDDF9CC3485E6F0D218B74769459AB,SHA256=EDE0425E53CA0B04F3C39A0224B9B62571D7D1D5F8EE3FAD155B73110EADEEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049102Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:15.547{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=60D00A5CD23C754F40A64595D58D2FA2,SHA256=6989FE798355FD8C5D75517E382621E41AD37E8A01EF1FA6C03025E6C8E4519D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049101Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:15.547{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D41DBF64230FBE009A99B1287AFD556F,SHA256=CA75C52625555471D2BA4C50603975527961DCCFBF7FE07A44282F74B0818CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049100Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:15.547{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=1A33A0DBE07A80A287BED083BBAF049B,SHA256=17BD8FA552390AE81CF12C232B1D249D2D798273F605D05EF3F6E61595C00D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049099Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:15.547{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=5804BB7ED5CBE8CB2F81B20C38B3ECA7,SHA256=3E39FEABBB487B8CE0F409E292212FA78D0C67ACFB4862CE0381857842E3AEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049098Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:15.547{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=6D6E2C2968E3B45BE0256C91AF82F96D,SHA256=793E5A93BCF6B1F7A022A938D5FE818CB506CFC1C58B6571B928574A1C27EAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049097Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:15.547{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=605B16BC175779967F546ADE4F1BEC8E,SHA256=80087B2150E4261974813BF29CB8AA1332BF0EA161F89CB000C18CCD24CA3BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049096Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:15.547{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=DA369FD28926936C5F3C418018321754,SHA256=BCE5E3697E001220B99E36B0EA4889D0D4CBC6B75E7D3C43F085A16941CEEE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049095Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:15.547{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=95EF6746FA5E546AF3034F12ECACD82F,SHA256=DA014A8DBDE44D99F4145EB015884D4506AEFDCAE0E3E9B992F1C020AEE01E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049094Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:15.400{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C8F218C28F0DB274FE6BDD828E4439,SHA256=A9BA102E464A127C912EDC272C5AB588641A45CB4D420B43F57D84B3D27566EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029755Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:16.637{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AD22A7FADB65951A33EC3894A32683,SHA256=3A710DF565DEC4C7B5301E4A1BF005F4998610CE37459F9098599F18ACC6A964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049110Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:16.615{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049109Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:16.615{323FE7D8-053B-6136-6E02-00000000F001}44403484C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049108Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:16.584{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049107Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:16.584{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049106Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:16.584{323FE7D8-053B-6136-6E02-00000000F001}44406120C:\Windows\Explorer.EXE{323FE7D8-0690-6136-1905-00000000F001}4808C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049105Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:16.431{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF23BFC78D97C73B95EB82E8C64B236,SHA256=A29CA37DE39FD86D78DBA0B811EC77322123749391571D64C3C36C2754B62E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029756Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:17.637{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EEE4B4E99E3715CD49AC79499DD22E,SHA256=D8BDA017DC4B9E037914E344830E885FA34FB7F9CD3E040BA7B12FE26BE68D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049111Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:17.431{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ACB76283E9459118B60ABF895BF9FC8,SHA256=F9CD9DCC0658AC8BCDB005824F4B8C6E12CC48B6F9717C1C73C1AB8A2CACEC55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029758Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:17.052{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029757Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:18.652{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95B0E956A6153CBD4CB394609681242,SHA256=F3CF19353FDBA9EF61D67E2C25A3D37453C5D9896D7DE06830A177AB470CD170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049112Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:18.432{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CDF30B6120AEEEC51DF65AD7365605,SHA256=D68B70F1E3A4B30B779088038D5D853B2C04123066E16C91B2C120AB6635B685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029759Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:19.668{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6622CADC6C15022C8DF3FE6B8B3B7C06,SHA256=C7469901ADCE0E7C248B81CC34AF035FEAA7AB6D4B2AEFA4271BD95294090FA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049117Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:19.816{323FE7D8-053B-6136-6E02-00000000F001}44405196C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803046D18A8)|UNKNOWN(FFFF8659940A5B68)|UNKNOWN(FFFF8659940A5CE7)|UNKNOWN(FFFF8659940A0371)|UNKNOWN(FFFF8659940A1D3A)|UNKNOWN(FFFF86599409FFF6)|UNKNOWN(FFFFF803043E9103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000049116Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:19.816{323FE7D8-053B-6136-6E02-00000000F001}44405196C:\Windows\Explorer.EXE{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803046D18A8)|UNKNOWN(FFFF8659940A5B68)|UNKNOWN(FFFF8659940A5CE7)|UNKNOWN(FFFF8659940A0371)|UNKNOWN(FFFF8659940A1D3A)|UNKNOWN(FFFF86599409FFF6)|UNKNOWN(FFFFF803043E9103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049115Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:19.816{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF741f0d.TMPMD5=4F8EF1C2D0CD074D7EF5CBE84B3E29E6,SHA256=5DAD2EEF2DD790596120355F9CB5804457452E6EEBD4F53B0DF824C4CF2242DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049114Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:19.800{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\aborted-session-pingMD5=7FEE0C9FD23A797178FD342C491D988E,SHA256=F92789634F6D32A2CDDD129FF79694DE9CE7191D676138FD04C723404D8CBF52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049113Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:19.463{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDBED1EEB0B603C597D238694E7A342,SHA256=9B644FDF7671013EABBC4B4C661BFBA1E3F4C38F02FD297B006475422E488226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029760Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:20.713{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14B4FFCFFC00BF930A127470C598176,SHA256=34F25AF091A9DCDF85C3596178B83D5C4C8D36561BC5A6265002FDAEDDA23244,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049119Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:18.626{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57469-false10.0.1.12-8000- 23542300x800000000000000049118Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:20.482{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B64CBDB867EA7F8322E4BDD7AC3701,SHA256=E6EF3BDD801C2896401E11682C0B76F441D7769228D8AD47B9E1518A08A813AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029761Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:21.713{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A406AF44FA9A3C2EED95E317E8C5C6A8,SHA256=3A35D759C6D5A8D75D81FDD7109FECAC47A769A0E2DF4BFD7DC1350E15E4F097,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049123Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:19.616{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-456.attackrange.local57470-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x800000000000000049122Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:19.615{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local60285- 354300x800000000000000049121Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:19.613{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local58290- 23542300x800000000000000049120Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:21.499{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2703131F43BE40A367B950731F90018A,SHA256=A935F18AE2ED4430782BFF508B3ECA181E3DB3829B8CF32A73469F6EA3FAAE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029762Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:22.713{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECFB87B4D742FBBF0B5461844F4FD29,SHA256=F7C1F79C2C5DC53A83EB4A4D5A2C7B9EC7BED10EAB21E337985F45EF1DE1BD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049124Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:22.514{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD70F76B1859E044573F65D65AACFE79,SHA256=8BA27174C01C1340C2F660B200086EF80632AE02D903F6EC50DB88AEE240B7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029763Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:23.729{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C61ADDB35C349247D27D350390BB94E,SHA256=779A5F8F7A3D7C32A98359F457BB1AFE4EE647E4258CC79406E1B57C7EDB0D31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049130Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:21.813{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local50630- 354300x800000000000000049129Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:21.813{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local59769- 354300x800000000000000049128Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:21.812{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local59659- 354300x800000000000000049127Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:21.809{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local54991- 354300x800000000000000049126Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:21.809{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local65535- 23542300x800000000000000049125Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:23.529{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151BBEF121CBDB5EA600CB11A346C65F,SHA256=C6A790F9F43A6228971E67C5C3A583E828E07D14C625CC837C0C2B45A5335AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029767Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:24.776{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0F1976DC5F63C74659D956AE6325CD9A,SHA256=94676C74167790F075E7D1DEB544B45A23DFE6BF1A6C0CBF4A418AA3EC0658EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029766Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:24.776{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5E9C885B108F8AFC704C435B00E1DFFC,SHA256=7E9136F64CCD2DF7C24BF2456E519C8667DE7F39070E18527495C21C307196B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029765Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:24.760{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7CB83B56EB286D633D8D241A0A1D17,SHA256=D43943B28882AB10BD494DCFC7520504A8AF78AFBDEFB6EA1ACCFA3EBC8AB6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049139Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.936{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\security_state\data.safe.binMD5=6F643699C383162DB699D0FE908E1A67,SHA256=E47020992E53309ACB2C48623BB632EE1AA34CD68062F3A070FB7C5F169F93A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049138Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:23.366{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-456.attackrange.local57471-false13.32.121.6server-13-32-121-6.fra60.r.cloudfront.net443https 354300x800000000000000049137Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:23.365{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local58702- 354300x800000000000000049136Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:23.363{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-456.attackrange.local63355-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000049135Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:23.363{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local52661- 23542300x800000000000000049134Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.847{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\security_state\data.safe.binMD5=6F643699C383162DB699D0FE908E1A67,SHA256=E47020992E53309ACB2C48623BB632EE1AA34CD68062F3A070FB7C5F169F93A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049133Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:21.814{323FE7D8-022E-6136-1400-00000000F001}1096C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local50630-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domain 23542300x800000000000000049132Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.552{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731A68921F8A37366C45810EC94AA69D,SHA256=489811789730D6A66FDD6E6A990C10F31D1138933B2D8391D641BA8A72E88618,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029764Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:22.113{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049131Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.299{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029768Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:25.776{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E9D0259DE92C7823A551C521EBDC1E,SHA256=8D7AF7AA7B0DF8EFABA924D7360B8871EA607BC549EC8EF37E2F568AC2686800,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049146Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:23.815{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-456.attackrange.local57472-false13.225.87.67server-13-225-87-67.fra2.r.cloudfront.net443https 354300x800000000000000049145Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:23.815{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local55395- 23542300x800000000000000049144Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:25.558{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04664540FFA0769628DCB2B92368C25,SHA256=8536CE7416DD59D14CC95B0D6F03A117A151FB7F66351FD92A7452895647B580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049143Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:25.454{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000049142Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:22.218{323FE7D8-0617-6136-F403-00000000F001}4476e11847.g.akamaiedge.net0104.79.89.85;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000049141Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:22.218{323FE7D8-0617-6136-F403-00000000F001}4476www.ebay.de0type: 5 slot11847.ebay.com.edgekey.net;type: 5 e11847.g.akamaiedge.net;::ffff:104.79.89.85;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000049140Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:25.205{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\security_state\data.safe.binMD5=94F331A4BC76094E9E1655227825492A,SHA256=6EAF37FA5215A24CFE6366B85A0DB515A6BC19EC312FC07391EB202CDEDE39E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029769Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:26.791{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E18BE72DFCE8DDB8DEFE17D728100CB,SHA256=D852A135B1D0292CA1F57797BA87CAD5A00FEC08E2EA23FDC3E5DEDF78AAD42D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049156Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.736{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-456.attackrange.local57476-false65.9.71.48-443https 354300x800000000000000049155Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.734{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local60231- 354300x800000000000000049154Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.732{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57364- 354300x800000000000000049153Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.683{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57475-false10.0.1.12-8000- 354300x800000000000000049152Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.564{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-456.attackrange.local57474-false13.225.87.67server-13-225-87-67.fra2.r.cloudfront.net443https 354300x800000000000000049151Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.547{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-456.attackrange.local57473-false13.32.121.6server-13-32-121-6.fra60.r.cloudfront.net443https 23542300x800000000000000049150Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:26.573{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7540D4B2575530A189C23DEE0F5527F,SHA256=3636ECF908ADD1FEAB320BA0EA34AAA956205BDA4284804942AE06099CD6C7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049149Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:26.489{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\broadcast-listeners.jsonMD5=7CA3BF1DB9D1A426F41136C25791BABA,SHA256=F3A515C8C8197F8D1EA62530520B6722DBBC6F06486F832C5F19E4C0F6626C11,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000049148Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.223{323FE7D8-0617-6136-F403-00000000F001}4476d2nxq2uap88usk.cloudfront.net02600:9000:211e:7c00:a:da5e:7900:93a1;2600:9000:211e:6e00:a:da5e:7900:93a1;2600:9000:211e:e600:a:da5e:7900:93a1;2600:9000:211e:4000:a:da5e:7900:93a1;2600:9000:211e:b400:a:da5e:7900:93a1;2600:9000:211e:6c00:a:da5e:7900:93a1;2600:9000:211e:3a00:a:da5e:7900:93a1;2600:9000:211e:2800:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000049147Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:24.222{323FE7D8-0617-6136-F403-00000000F001}4476d2nxq2uap88usk.cloudfront.net013.225.87.51;13.225.87.40;13.225.87.113;13.225.87.67;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000029770Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:27.885{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913897D098005C9B55DA4958F30BFBFA,SHA256=667BBE6A6D378478BDC530109CD9FB89E654317A617A840E79F8F0E5391CCE37,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049158Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:25.215{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57904- 23542300x800000000000000049157Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:27.589{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A411FBB388A2DBD43417BA70A1229284,SHA256=3A189FBAA97141CA3403B408201043EF31B1F29F9CA2D57D98A64BE9D9CB321A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029771Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:28.885{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E081AF24CDC147AD947956A002F4A2C3,SHA256=DC8185570DF35C5B85FEB2C9F5F2BD761F8CC7B27E6F4B5E71BBACB256E7506E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049159Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:28.636{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6951F870202E1FAF05D649D0D7FB75C4,SHA256=96849F76492C1D57527DCA87FF1C4421FA2E195035255247E165E3C33FE94241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029773Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:29.916{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84346D86F74887B3D3B33A4F7C0F463,SHA256=B45EE88F482C1A4A851F28D9666BB2A9A76924308321AF7D02DABB047177C810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049160Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:29.638{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839AB5DFADEC467ECEA56D9DE19C1C3B,SHA256=B456C4728E34D02C352F9C072CF49FF04C23309236DC08E75D301DE722764029,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029772Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:27.863{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029774Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:30.963{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845906D656FA3B026EADD7B4812DC5CD,SHA256=AF6A80914BA5EF6024184383AB8445829974B3CBED803A3098E7DBF4386A9D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049162Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:30.790{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049161Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:30.655{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4194483AB068FE234F33BB15D30D9A,SHA256=6B9DCD942AB5DC9BA443874E72B941A787E5B056D89D48C973958DD97C581998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029775Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:31.963{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9016F0BB7BAB9F265A64793E14BFE36,SHA256=AE91EF8953CD01A834E557D1CA6A593FD8CE488A4822B39120BE49DB658448E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049163Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:31.674{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C815DE7234745F1785EF24A37DB95884,SHA256=1F83ACEE8F6B6439E2559E79F02F921C2788A380295EECCA16D3EC934DFB1E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029776Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:32.995{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E64AC45DF4A8238AC2257A8E19183B5,SHA256=A4EAF521EF02C3166F62FF63AEAA3FF8EB720E2972A778D7DDBE0DD65C585726,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049167Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:30.685{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57480-false10.0.1.12-8000- 354300x800000000000000049166Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:30.369{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57479-false10.0.1.12-8089- 23542300x800000000000000049165Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:32.675{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1707748611942E07932DABBF0D5F1F,SHA256=D588533BFD22D142AB592B03317B9362C5D74EAA65860291D027DE941065B666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049164Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:32.206{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=78E786926460EA75D1510D45EAB00414,SHA256=1ACC77533533CCD6A42539D4503148D3C16CA7B615BE6A2FFD00200FE1C1CDC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029777Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:33.995{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDC1FDBB840F359B0DB5D1413B39BB6,SHA256=8EAFF0784F5E3DC814D2938943C00FFD982BB1E8DD9BFC54474B6E34EE2FBB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049168Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:33.690{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565BE26D9457210A1739BB3B3252B6DF,SHA256=9C7D222F592738CD8A23E42CD562CE2993ED041F4C01D5649D56479F774C735F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049169Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:34.705{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2E48275CDB04FD9678A4429BD2D3C6,SHA256=BB82CE1309730B17C983919F054A5C094C27122131B396FCC4C1C6D2FF80FD25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029778Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:32.925{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049170Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:35.736{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A48C55BAFDAD8AD9B8ED81BA21C7F7,SHA256=D3864417343EDCDC143F817C838BAB9188BEDFBA65CBE9A9BF8C00FF67DC015F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029779Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:35.010{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5EBCF55EEC395116DFB8740F6A4DE4,SHA256=B68EB05633594EF19A7F6E0C194684147D9DF520410F3FAC1298B223001DE953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049172Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:36.736{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531CDA5B311ED91AD6E2A9F90D2A4E15,SHA256=E9C4FDA0F89E0EE0CC3C2A1EBF596AF3AB9947FE45E210FFB642D5F605DA0190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029780Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:36.026{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4B1FFF4AC1E961BAB04AAB8CB8788D,SHA256=E7DCE984291384143551A637E9BCB3AEB8DB9A1AD4BDDE1B7BC641D6576DA648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049171Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:36.420{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7A09F40D2EE905446AE3BEABC8CDB476,SHA256=61DA21AF78C6C59FF13E16463A09335FEE395C2AE94651D7EF63D086D0F91FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049174Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:37.773{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243DE3D91259DB46BFD12FF8F6FD3BB0,SHA256=CDCDEEC4F10D2818E8E9B6B06FF2BC50F2D7A994255B51D74EF0260C4A62549C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029781Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:37.057{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0756AA6BC1A5D33C365E9BC7241E24A3,SHA256=86A6C2D0F52E14AACDAB5ED52A6648CD49950F0A3604DDDD495F1459F616EA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049173Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:37.273{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=BE5C2C98881A4F25C70EDC28B41C59E5,SHA256=C839825D26FEE86924A0F29FC90699B0B7A917C16FBEBC31A41ADBDD6F0E4A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049175Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:38.803{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC136B64874BAA877E5DA0131899E60C,SHA256=C25BB53C6E217632B7531D8D6FA9C9BE43F691FB0EA515438AE109C2A9CB6EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029782Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:38.135{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1796AF8673FD685DDFDA5B0860198B,SHA256=DBBDD448222E9AEDFA3606BF4FDD25AD6269ED679C3B278990B7B0ADB67CA9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049177Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:39.819{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DED5A6D7D21457A87E5A73F8B5ED954,SHA256=983F53A8648E10D26266DBAD862B776124FD56B45E74E04309E459E19A19F5A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029784Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:38.019{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029783Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:39.151{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C176449E1BA77BE51441CE391BB757E,SHA256=D8EF95AE95163B03E8855401D957A1B8EEE66074911EB8F1E696308A6FF18242,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049176Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:36.668{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57481-false10.0.1.12-8000- 23542300x800000000000000049178Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:40.834{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5880C353C34201B98468402305AE39,SHA256=22EC4E5A3429576990B18C297A35E8E427133F0DCD578E020ADE4C40A05F0BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029785Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:40.171{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD443005F5BEF32CB960F12044119E8,SHA256=458C28F4801A37F3CAF5FB45209AFBFD2A716BDF241F685FF99B80DEEFC2CCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049179Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:41.855{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9078F160B19C454C31F56861B10276,SHA256=8CB873F86F5D393801BFB58D61CEDD6ACAC6E2143E828D4264084B9A20B43455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029786Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:41.187{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AA169AE0990C515D55B9917BDA716A,SHA256=D422A0FA1AAF690666D7CCC293E42945C7540B4ECB414A5DACF6E2BE51D87BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049180Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:42.874{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66DF1E3C8CE192AC2522706F76F3D9B,SHA256=6A3F62218D69AA17C501E05D36AF7E894BB9D6E5A499FE156594A20804B7A410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029787Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:42.202{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482B1A6C6A478B7384A963294593CC79,SHA256=29014FCD7334E8FE0C869BA82A7F03819E0B5531588D266861E29365E9DF1810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049181Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:43.905{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493B81565511C3AC88DF40A2D567B6F8,SHA256=2100F92C94337A30756C27D93F76ED5B57C0515FF5DFDE4F1D22F69D6A2DB9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029788Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:43.218{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451C13E5DFCD342FA8AEE34012AF246A,SHA256=3859FCC0928DF8BB97B669105D6484A8F69243C2876F2564989ECFA4C550DA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049183Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:44.935{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DB75AF2F259972E91C916C1427455E,SHA256=4B79FDD2E0DF43DA261A14634D520A8CAECA9EEB803CF727FCE7AF473FDCB65E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029790Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:43.086{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029789Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:44.265{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41952208773892A24F27AD236FC6219,SHA256=45566D4F4CCBDD203F1B30E0B74DDDBA4CE9148E231D6A6A74AE2133034DC12B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049182Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:41.812{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57482-false10.0.1.12-8000- 23542300x800000000000000049184Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:45.952{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F1B15728A693D61BD037521E88D74C,SHA256=C6B70ADB9CB5B55D5AB9C7DE79B21987C6B259AA3FAF643E375B6366F4B776E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029791Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:45.280{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42C365DECA8B4200E64088CBDF413C2,SHA256=B7B88DF339191DBD49D74616347212F7266F4F6786CEC5CD5F19E88E49E0C492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049185Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:46.972{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539F4EEEB8B03B2376092CB2327C94AE,SHA256=DF3969A8B7B2890C5A416EC35E8E1BD78E7DCF213019E817345904A2B66F3DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029792Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:46.296{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B72F0F8A47E175A2D8C4C6949C32FE4,SHA256=957D743A6C2A77A7EF85CBA4B7D581F6DB08E0D356419497784E9750C6697A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049186Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:47.973{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E882D690DF8AC3D61EBCD0CFDC92368,SHA256=5CC7942C11B657020B41A8796B33B508398AAA0130B4A43778D56CF7F78E8C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029793Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:47.327{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4618CC2870BBBFB9BA2A76D1C3FC31C,SHA256=21D2D9E8572852890C9F5BB13A0F52B332E72AAEF68C59D03A0C8FFA5C273819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029794Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:48.343{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9143686CB971D7220804AAFDB6D92B3E,SHA256=853BDEC7A36BA6C4B156365A273F5573EF9CE76511FBE85E547E63073F457DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029795Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:49.343{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1B1B79A80EA4B8DA73E0CCA4232E63,SHA256=35949BBC8F22118DDDFCF50B7FAE5E33D84AA90F792BBEB0B2730383B0C8B4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049187Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:49.003{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992D4FFC309BD59FECBC5586E799759A,SHA256=89C8371C66A194F73BD777B414F40DBCABABC429183EB406A17DB4A8F1247AA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029798Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:48.899{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029797Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:50.773{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-115MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029796Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:50.360{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4508F8492BC498B00341AC458FC2114A,SHA256=25B38CEE077210C9AB70B6A758DBBDD89551850F3F9EA07F1EBB651030C677E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049189Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:47.682{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57483-false10.0.1.12-8000- 23542300x800000000000000049188Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:50.033{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F76B61B21070D859029F16C76A27FA,SHA256=CBC87F6471EA863695293B42108473F02C67787E847778C3315948EEB9D1BB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029801Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:51.757{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029800Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:51.757{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7F2F2E647F339C0B2DA8C0F231B75A8,SHA256=3A31A9D8D4F02BADC7111022F3BF4CA584AAC717FF80A48492D740B370395E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029799Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:51.366{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9C3FB4B95B526A5C4DA527E5EF1B8F,SHA256=C40F18FDE8DF4C070E75E98B2DD6C0FF6D71CB22FB0A112571F5FA3C2A1EABF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049190Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:51.067{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37ADA3F088CC03BF4339CDDF8A8E169,SHA256=5A0B5D9ED1DFADEA3F1B8B5F3F4D665556567674131C17C6C76DD5FA143EBE84,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029812Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:04:52.867{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000029811Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:04:52.867{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006d0be4) 13241300x800000000000000029810Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:04:52.867{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31f-0xc7c4936e) 13241300x800000000000000029809Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:04:52.867{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a328-0x2988fb6e) 13241300x800000000000000029808Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:04:52.867{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a330-0x8b4d636e) 13241300x800000000000000029807Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:04:52.867{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000029806Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:04:52.867{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006d0be4) 13241300x800000000000000029805Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:04:52.867{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31f-0xc7c4936e) 13241300x800000000000000029804Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:04:52.867{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a328-0x2988fb6e) 13241300x800000000000000029803Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:04:52.867{FFF7FB96-041D-6136-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a330-0x8b4d636e) 23542300x800000000000000029802Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:52.367{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C572BE02690C0C9968A900E7134AEAE4,SHA256=CBEA454275BDF1ED4B51180DAB5A3F69BE80B731E61A7A60CF03220EF6FF9D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049191Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:52.086{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD25D598A4387CC6C3F6EEB49CEC8F8,SHA256=316EB579854AA6B106E22778F00AE8EF8E80BB1332857DA5BED583A272BF574D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029813Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:53.367{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3249266AAD1DDA3992E1B03C090F48,SHA256=8C42102F29899557AF0FC408E91F62535A4104C1A64C73B304DC319D016A4D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049192Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:53.100{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B97297C0EE5EF84586D14227299EB7,SHA256=4EFE0D0419511CABFC9EA73185461E5CC60C302728F0BEBA593EC34072CA7E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029814Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:54.367{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3ABECA7F0030EBAD87A63DC868A4C4,SHA256=4829066D41ADBC82E32C290672160A616BD5AEC9ECAD94AEE82C1DF28F42C801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049193Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:54.115{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E8CE42B617C5013EF4F1FC489FB775,SHA256=91FDAB47A5FAF762C854472159AFBD7C86D838C4793350A97B061C647FBCC1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029815Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:55.382{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35281D57E97C3B0700B3B27D3D5DBFD,SHA256=D40F99E79D756FBA59D6BCB27705C1023E90EFD85B9E985F64FDF5B5536F4E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049203Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:55.130{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC490FCEC675DBC52DFC5969B46EFEA7,SHA256=8858EC92A66EEA186040EB5DA31CA794AEB0315C7F7E3C942F2A8A282B12D7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049202Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:55.065{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=7C6B6A5ED7E9C3640DDD3188FA67D4B3,SHA256=FA00193E06CE61434D3F1B24B6F6E227E96D6CE87C268E0993C4724A41EC1B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049201Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:55.062{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=9862A33237C8C68A3108C7AFD85D8A09,SHA256=A2F88615FF7A4D6F7B9BF5E61571E806C412006C9FAA98B015ADBA77DBCEF62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049200Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:55.046{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=78A9877045409BC3C085513086CEFA94,SHA256=FED2D8DE9A774530B558920D186CF8FCAB90CB13BD245DFD14915EAF85D4883B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049199Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:55.046{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B0AD64843B4DE3671F62D9E79FAD6C1C,SHA256=6D96AC3959CB33CB675E927E893B01CFD553953DCAE767D01F560730C5D7EE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049198Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:55.046{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=4A671FE9D8F0C6813D7384B5AF779C28,SHA256=4EABDAD603740974B5C97361B48376E40C23F987E9F38064441D31AEE1322C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049197Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:55.046{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=DBFD06E04A3E1BD076F3754B73BDB276,SHA256=E2096AA291A1A307173288445FBECAB677F7EAEA42DF43267E70E83B5ACD8827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049196Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:55.046{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=A535083DE9BC82ED89D4C8349A014526,SHA256=E459A8993E5F9E72509E87BDDD95691F44D3F8F3268DD744541A55849EF85485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049195Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:55.046{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=F502D583B6CE4FCB90B0E1B4F548DA4C,SHA256=BE428C5733E944073B25761B9A64AD122BA98B5F1A33AB92434635CDD6DBD68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049194Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:55.046{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=12E6EF889EAC5DFE4E17A26BD071C324,SHA256=B539CAA0C121ABB01CCB1EC379AA7AEC835C7D934139A749AAE0D53FFF8C9D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029816Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:56.382{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536BA0E0973FE28E0B311EA154290B9,SHA256=3B3CF943CCF1D746B143F67686017986DEF26DB543107056D5A73C58E462D40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049207Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:56.530{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01E77E95D75D5EADE399230CFD8B41E1,SHA256=209B0CD6B902CFF783ADFEDA0C1D9CDC04468A2F7B9C9AC280FD3AC1190021E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049206Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:56.530{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A95AD95F7A1834B350C4856B0D4BA115,SHA256=1D204C56B141155C080E65367E6AE42D9C585E5B23E5540F9B34DD6BD541D23B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049205Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:53.694{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57484-false10.0.1.12-8000- 23542300x800000000000000049204Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:56.163{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3882D115E6B7FEFB63DC378BF3D0258C,SHA256=981F6BD717E8002874F71031649DEBBA618B6CFEB647298672DB0163204744B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029818Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:57.382{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD902CDD9D188C4CC324B5C8455C4CB,SHA256=1DFD13827ADCF1475B681DD74917539239EE17AEACE9C5F53B16FC1E8222F2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049208Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:57.182{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C871037824BDA1D0578D07856F6549FC,SHA256=0B43806B4BE440DB948BDF46121425181DB8A4580FF50571D2E4C82B59200300,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029817Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:54.891{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029819Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:58.398{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3685EABBF88620D00906CFE05E54F5,SHA256=7DE61EF215758DA37C403378B70DD07CBF4D363B1D2AD4D840118AF1A9427894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049209Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:58.183{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03C3B903CF62C2A56D32C50588B578F,SHA256=4276E5780B21AFE9694081D277008FC370BB8FA1246E0B961EA5C5755030402A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029820Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:59.398{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786E479D5AA41DDBB4A267FAF3099903,SHA256=9B04A537CB833C438DB92D68766B5CD24F9E7FFAAA7D93F13584E836975D3DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049210Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:59.197{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D497D8168975BBC3C7D25D500363E573,SHA256=924C617B6416E52089D71A78AD313A7D443812DA49F5B8F2020C0F384DF57702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049211Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:00.198{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6922A064B842297432D83DA41A3848,SHA256=8FBD0EBF164003BDFCCFE51B9B2D52E448255BAA7331E27BA17018F05157D5F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029821Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:00.407{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDF4DE713CD18D5C71B8896C3ACD5DF,SHA256=DF44AA1C87833C626BF1B191D969240C4ED0135296BF4F0B4C6F8D8EBE91F55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029822Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:01.407{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B539436045A80B4F6B4015D64ED37BB,SHA256=938D0FA9CFF8588DB3AB6908B3850FC95C4C8110169795B4B2FB2EE2CCE90339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049212Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:01.215{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687C724DD9EE4FFB99A55011A969ADA1,SHA256=A183E1D332D2EFFB7CE5DD0167A75512C4731CCA2CF38E2324390A2D6F051F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029824Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:02.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D7CED8587E9BA946272F1EFFF6F440,SHA256=85572308E9AF4B859B4F29B73955DAEB477BD3B7546839A4851628F8E44F12C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049215Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:02.532{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-123MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049214Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:04:59.693{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57485-false10.0.1.12-8000- 23542300x800000000000000049213Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:02.230{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4FD6B6461B1C064D115BB6E7B7C5E7,SHA256=9DA46EA5564C717D0BF3E9229699F31AAE9E592D3DA05A1D90374A59D31C687F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029823Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:04:59.979{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029825Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:03.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5809B906EB2BE9AAC4C22E396B750D99,SHA256=F122ECEEE91812BAF7E37A8F041CF28FA0942F8AAA269793A8059FFD741B6D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049217Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:03.547{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-124MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049216Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:03.264{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567D5880DE80E12158B9A728BD155C5F,SHA256=B5D40683285301E12C54B4456747D0170F354ACD434ED609E1BA08D080D36600,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049234Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.966{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-2010-6136-9609-00000000F001}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049233Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.964{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049232Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.963{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049231Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.963{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049230Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.963{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049229Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.963{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-2010-6136-9609-00000000F001}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049228Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.963{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-2010-6136-9609-00000000F001}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049227Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.962{323FE7D8-2010-6136-9609-00000000F001}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049226Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.283{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-2010-6136-9509-00000000F001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049225Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.283{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049224Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.283{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049223Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.283{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049222Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.283{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049221Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.283{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-2010-6136-9509-00000000F001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000049220Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.283{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5418CF6009BECFA2AB4957DAB1A48A0F,SHA256=6F59D0F07B95BB6D2F31A18B8F2DE530431D5592C9956856D2A8B8703D0ED8E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049219Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.283{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-2010-6136-9509-00000000F001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049218Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:04.284{323FE7D8-2010-6136-9509-00000000F001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029853Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-2010-6136-FA06-00000000F101}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029852Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029851Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029850Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029849Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029848Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029847Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029846Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029845Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029844Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029843Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-2010-6136-FA06-00000000F101}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029842Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.938{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-2010-6136-FA06-00000000F101}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029841Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.940{FFF7FB96-2010-6136-FA06-00000000F101}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029840Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.688{FFF7FB96-2010-6136-F906-00000000F101}2488796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029839Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-2010-6136-F906-00000000F101}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029838Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029837Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029836Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029835Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029834Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029833Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029832Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029831Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029830Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029829Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-2010-6136-F906-00000000F101}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029828Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.438{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-2010-6136-F906-00000000F101}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029827Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.439{FFF7FB96-2010-6136-F906-00000000F101}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029826Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:04.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771754AB21E1BBE31D5311880B49E4D2,SHA256=2051CCFFA00E9205473B3BF26DDCB8AB958901A4C5394505A63E791122C3FFF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049246Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.829{323FE7D8-2011-6136-9709-00000000F001}19604212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049245Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.629{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-2011-6136-9709-00000000F001}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049244Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.629{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049243Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.629{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049242Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.629{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049241Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.629{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049240Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.629{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-2011-6136-9709-00000000F001}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049239Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.629{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-2011-6136-9709-00000000F001}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049238Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.630{323FE7D8-2011-6136-9709-00000000F001}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049237Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.283{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3E7C50290468BDD3323FF1247CE730,SHA256=17FCB4339BB9ED489E9829629142F1643D18F5D8820C7646495547DACA82A977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049236Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.283{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A05028622EB4021842C8638D1704D35,SHA256=F0FBA3104B188D51975D37C8FBF08C9AF0B21F9200E73DEAC0FADB90EC1464E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049235Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.283{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01E77E95D75D5EADE399230CFD8B41E1,SHA256=209B0CD6B902CFF783ADFEDA0C1D9CDC04468A2F7B9C9AC280FD3AC1190021E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029869Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-2011-6136-FB06-00000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029868Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029867Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029866Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029865Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029864Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029863Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029862Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029861Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029860Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C70D6E86B7EABBEFE545AC025D714BDE,SHA256=60FEE6E5678E4CB2E647C47ADDC8F1A68D371FA84982445C38C4C0F41ADFC157,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029859Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029858Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-2011-6136-FB06-00000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029857Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-2011-6136-FB06-00000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029856Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.487{FFF7FB96-2011-6136-FB06-00000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029855Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5FA548693097D4D9FDD178D0131A46,SHA256=54800211E7568E2EFEFF64D57A65165EDCED092B7F057B7D47BF6C21FC980142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029854Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.485{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7100CE469E1E17546EFEFC63A8B11E68,SHA256=35BD5E0ED31D525C322D0B4810C045C31D95AF2A61FD8C184AF814A4A24EE3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029872Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:06.517{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC713E84CABA7AF098FBABDB02C0C49,SHA256=A43236626E063A90EC3C8110BAC7C0AE1E56C4F11331555D201F501913A745B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049248Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:06.644{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A05028622EB4021842C8638D1704D35,SHA256=F0FBA3104B188D51975D37C8FBF08C9AF0B21F9200E73DEAC0FADB90EC1464E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049247Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:06.298{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6ED804CBD1330A75DA9EDBFD285EF2,SHA256=435A0F5E1C65044FF0F43FB0A478312A179E3D885BFC127877DD6234FCF248B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029871Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:06.501{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C70D6E86B7EABBEFE545AC025D714BDE,SHA256=60FEE6E5678E4CB2E647C47ADDC8F1A68D371FA84982445C38C4C0F41ADFC157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029870Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:06.235{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029900Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-2013-6136-FD06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029899Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029898Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029897Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029896Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029895Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029894Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029893Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029892Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029891Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029890Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-2013-6136-FD06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029889Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.767{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-2013-6136-FD06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029888Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.768{FFF7FB96-2013-6136-FD06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029887Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.517{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B8EB5950BBB8FB8635AEE7E2DE11B8,SHA256=26E6F3A5ACBBF2910DE4C9612DC306AD033C9496EBF2B1519924773DA78B1B5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049260Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:07.697{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-2013-6136-9809-00000000F001}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049259Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:07.697{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049258Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:07.697{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049257Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:07.697{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049256Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:07.697{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-2013-6136-9809-00000000F001}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049255Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:07.697{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049254Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:07.697{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-2013-6136-9809-00000000F001}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049253Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:07.698{323FE7D8-2013-6136-9809-00000000F001}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049252Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.658{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57487-false10.0.1.12-8000- 354300x800000000000000049251Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.455{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57486-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000049250Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:05.455{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local57486-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000049249Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:07.313{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202D37F38C928493336C8C623088F4A8,SHA256=5D5442343E5F07B0E44FF16254CB091FB125A4596B524C488D2F7398A5070F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029886Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.407{FFF7FB96-2013-6136-FC06-00000000F101}31763788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029885Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-2013-6136-FC06-00000000F101}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029884Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029883Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029882Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029881Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029880Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029879Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029878Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029877Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029876Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029875Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-2013-6136-FC06-00000000F101}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029874Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.204{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-2013-6136-FC06-00000000F101}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029873Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:07.205{FFF7FB96-2013-6136-FC06-00000000F101}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029932Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-2014-6136-FF06-00000000F101}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029931Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029930Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029929Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029928Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029927Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029926Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029925Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029924Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029923Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-2014-6136-FF06-00000000F101}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029922Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029921Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-2014-6136-FF06-00000000F101}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029920Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.895{FFF7FB96-2014-6136-FF06-00000000F101}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029919Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.892{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAE1D308624ACB50C558739FFB18F5C,SHA256=C96B354415F810CF73B804612F6D348CFE2804288949B0C13EBF90AA7F09DFBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049272Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.759{323FE7D8-2014-6136-9909-00000000F001}50886488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049271Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.714{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B01B34D3C032C8881ECEEEC2395932EE,SHA256=81CF818C4626DD5AC9B89263F3520AE0D82E3649CCF1369B61089B2CA72F6793,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049270Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.372{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-2014-6136-9909-00000000F001}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049269Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.372{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049268Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.372{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049267Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.372{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049266Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.372{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049265Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.372{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-2014-6136-9909-00000000F001}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049264Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.372{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-2014-6136-9909-00000000F001}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049263Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.373{323FE7D8-2014-6136-9909-00000000F001}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049262Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.334{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5630834DDAEBC169FD35B0ABFEB5D5,SHA256=94DE1B36CF9FF0AEFADE5FC99BBE680A60A0EBB4E5DBCA05FDB56F7A7D2270AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029918Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.438{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F37986BAE4F26162985D9D4126D1EE6D,SHA256=1D713DD7466398D46B7596F305A146980557FD7A48026C2A0195F781DCC176DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029917Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.438{FFF7FB96-2014-6136-FE06-00000000F101}34123828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029916Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-2014-6136-FE06-00000000F101}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029915Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029914Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029913Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029912Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029911Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029910Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029909Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029908Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029907Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-041E-6136-0C00-00000000F101}7283896C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029906Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-2014-6136-FE06-00000000F101}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029905Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.267{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-2014-6136-FE06-00000000F101}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029904Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.268{FFF7FB96-2014-6136-FE06-00000000F101}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029903Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:06.073{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000029902Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:05.979{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029901Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:08.001{FFF7FB96-2013-6136-FD06-00000000F101}5801856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049261Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:08.029{323FE7D8-2013-6136-9809-00000000F001}55364056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049290Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.894{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-2015-6136-9B09-00000000F001}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049289Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.894{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049288Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.894{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049287Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.894{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049286Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.894{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049285Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.894{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-2015-6136-9B09-00000000F001}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049284Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.894{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-2015-6136-9B09-00000000F001}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049283Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.895{323FE7D8-2015-6136-9B09-00000000F001}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049282Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.439{323FE7D8-2015-6136-9A09-00000000F001}52966380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049281Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.361{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E12F57504ECFC6E65446FFAA3AC979A,SHA256=D146E69E8B280B6405C617A64590D07478D0B5F2F263B82EE15435CA0B4D9992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029933Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:09.907{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC7393F9F26C88970B39BDB87FD79249,SHA256=56A1D294DDE9E6FCBEA68DD884B7D3E66A5F4BEDDFE232EE3ECBC8659FF92397,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049280Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.222{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-2015-6136-9A09-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049279Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.222{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049278Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.222{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049277Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.222{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049276Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.222{323FE7D8-022E-6136-0C00-00000000F001}8484608C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049275Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.222{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-2015-6136-9A09-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049274Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.222{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-2015-6136-9A09-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049273Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:09.223{323FE7D8-2015-6136-9A09-00000000F001}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049301Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.378{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A4A47CCCDB9CE0FD2F1385DE9F2471,SHA256=EBFD78BAA1666D090B327EE3DFEF36BE17CE97345CF917EE4156B909685A7F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029934Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:10.126{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FBFD85B8ECEDE7CA38E4FC1A9E7A50,SHA256=A2DCF082A404E4926855F0D078D6EA4A9EDAAAD7B57E0334DC9E481D4C33CBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049300Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.225{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA7E046119FD5DD6E61746F6DD54454B,SHA256=E181E9001014E26EFB18344D7200F136F20A73318A9C5DAE748B2C0CDD6D70B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049299Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.125{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=78E9A99EA27B98C2AACC6EC58D8B7007,SHA256=6308EC9798F9A5557421FB614AC303A4EDF653147C3871C0478A6A7C35AA0A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049298Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.125{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=2A1F355258769DD5A98071E05AC8CEDE,SHA256=59D0D5C29353759627AB234784115C7C5328B73D64436CCE47BA8AD160B0BB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049297Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.125{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=E0767C313B5503BADA5DFDB1A5162751,SHA256=ECB2817C21149E132CDD4E1C7A8496596419A6FA2C071C72D6C61FBF751AD76E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049296Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.125{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=DC7892618262B1F4FFA765F5E6F46A4C,SHA256=C3F165A6DED2AA04E8CA4A811C48BF5D4BD447691526A33FA4875E24EFC63F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049295Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.125{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B38D09D214300F8C9D65A4E2CA97AC94,SHA256=A45B7E9B4F0866C315D830F4F1C45B20215C4522D48C41FF72A9B4BC3876D693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049294Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.125{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D58BFEC37DC663478292D622B81B50BA,SHA256=C9534ACD78F2FB03D757DBE2E5038AB1C69C2C92220E60168E9FAB5BAD7E23A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049293Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.125{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=F80F2DD24DCCF0140E3AC39394413434,SHA256=4D28A2752063179C94B91C62D95A3850BF4A72681D8B621FD84E1D701DF42C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049292Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.125{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=05DD86B54E43F5323D23C6128B9DD803,SHA256=92F5F4FE23D33E4C65071B7B435EC5A53A133591AD91186602178B37BCB94489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049291Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.125{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=DA3246DBE09BD25E4A4FF1AC8804B0BE,SHA256=4F3DDEC802B2BB2F1B8D68A32E15C70D09DDA0ED374CB2BD39C7A2FB65C37F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049302Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:11.393{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E29E80F87B6D63C39570EF1D60CF51,SHA256=81E97F85E830BB6A1B310F8155B76BC819D6AAD1DA5B619B161D735E1037D446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029935Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:11.157{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6296513573A4C63C191C0238B719FE,SHA256=6F4E83CECA9ADF42E7E083D00B977113D88DAC2A0B9D580456066326D0618F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049303Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:12.413{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DF38798EB6138AEA5201D31E65C45E,SHA256=0D8E29F0299DB280B49D387788A65B64CAC900B53A934DDAF5DF172ECD9BA316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029936Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:12.157{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435B42CAA7A91D3E98DC5B71C8194EBC,SHA256=3D1F8F15FF988B629FC82EC11C881D157A65BA4C4CD10FE8B6A5E97205534D01,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049305Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:10.750{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57488-false10.0.1.12-8000- 23542300x800000000000000049304Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:13.474{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F450D26A87B963AFA13D036219B44F57,SHA256=B71BA7EA9DD110C46D2C4C1D07181347AEA61A61FD9A14023FF9BCD6A32D23E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029938Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:11.057{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029937Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:13.173{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64ACCDFA8FA96E6A11C58A8BB6785766,SHA256=504909AE0517BB7D804ACE7AE19AD6696D5386DEDB9DCE0C43C57871865FAA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049306Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:14.489{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA13F73AC1A31B1D0ABEDB05DCA3EB7D,SHA256=28C0EB2F1B9C1784705019CB7DA41CB7E82BD4A3D7180BC0723D352284F04029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029939Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:14.173{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C0D1CEF26DB5D36CAB5F191309C2AB,SHA256=031F02AF3327EE6205A66F41F4DE4EF399ACB96C14126D5F4D631DBAC0B13851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049307Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:15.504{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E79CD836389FA8F27E1158BF5561091,SHA256=0D0F41B9587AE8C15609D2617D811E127BD87234809926CC0280959A515BF779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029940Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:15.173{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D397FE89C8E299AD79CF524E03B2C040,SHA256=479207DBE8746AADF99330EA7FCA84612B83080BBA5840B2AA604DA0505FEBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049308Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:16.521{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F456C69D559108E07B8E512B893DEFE,SHA256=384025B011EFADC6087B53D54CCB1C7E399DFD6FA02AFD4AE366B45BBA8C749A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029941Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:16.173{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F277873CFE7ABCB2A135717D663E86F2,SHA256=5003E35836B4030C5D2F60888692D3A0FC0105042AFF4347C274980240C5FBC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049310Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:15.784{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57489-false10.0.1.12-8000- 23542300x800000000000000049309Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:17.536{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C253F96EE2EF504CE48383328E7B1F53,SHA256=2AB7BFCA31272CCC5F61929E9345EE1854FB7FC8FB032626F5C51498A23D0353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029942Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:17.173{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210AA06673590A65663F6C5343B4138D,SHA256=BDB2B51B004B0C8E8644EFFC8579E9CFC385575C2A20A5C64B41E6FE9B255B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049311Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:18.552{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BE6ACC2476C4FBCA0A4503BB93C0AB,SHA256=B5A787F26CAA18BE18427A1FBFE26ED8EFB1D688BD3D54B973861DB0DE8DA70D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029943Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:18.204{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8351793F868F9241B4DD8FD7D23D779E,SHA256=A25190667A03C0BB3C1C42AF0C514C41F1FF8E5D55C21A7E0B291AE89CD55C98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049313Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:19.736{323FE7D8-022E-6136-0D00-00000000F001}9045860C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049312Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:19.570{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4A7BB37A1D60DF7D559E3121198027,SHA256=4AA86EC065F938460C9C1BE41ACBE6802A2C6660ABF0F8C33D8532F0329F8485,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029945Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:17.026{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029944Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:19.220{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD525C062B9418BAED65CB7C75633E92,SHA256=6CF1097A826BE13DC2C002D99179A8A867B09EDA09CBF08627E5F99055A5C416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049323Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:20.619{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=14894EB8AE337F248681C0A4E1944355,SHA256=F84C3EAB78B088CB4C0B4B6BA373345E8ECB2D91310C82FA9EDF3D58CE918072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049322Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:20.604{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=C6E1DB78A23E7847FC1194D587188261,SHA256=119C5B7984C5FB34CDE36ABAD01909CB81D4D536E25EFD967D29021A07C17F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049321Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:20.604{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=751A1900224C97496AAE5C3E3DAAC502,SHA256=9061FEC91DC6BBEDC19F230C2BF07A48DF02123E4754AA94A9984C65E844F48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049320Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:20.604{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=93B253A931F854D9C52E24993F31E789,SHA256=BCB749FE74BED855FA02BB07BE488234FFDF2C8F649D8DD43BE166A7964EA5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049319Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:20.604{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=E176DBB272C91CFFDF839CC8DD3489BE,SHA256=A5E602C316BE67093E2B3EFC552CA64A11FA0338DEDA966CD6F71D69FEFFB76D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049318Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:20.588{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=7BA7F23A91A153097324E551382A62FC,SHA256=5F497F01D1CE059A888A7454E3E5A7183EA86C10702151010BF8098D22458AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049317Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:20.588{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=5B1863A9EE887EAC19964F557157FCE6,SHA256=940D3FE27EE1856A49E9F8A1DF9B5A140AF83025A87CFDD5BB6117F4A5437441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049316Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:20.588{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775BB28D73B57FC331AF24C75904CB38,SHA256=C16014D4E9A256E123336910F3F7DB6D0F09D2E3A10181DB97766D1703CDADA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049315Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:20.588{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=69E3B521E28BB7CC754EC52FFDDD7F5A,SHA256=A1CD1A3E1562FF947A84B51951BCF03E567E0812D0864DF97A9B2CCDE174EF51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049314Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:20.588{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D626E942DF0F028662D4979EBAC7E22D,SHA256=C4D372668A90964DFE3CE05CA9107E02B255D4B0467B3F8A9ABBEB0734055E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029946Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:20.250{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3254C179D519E430B782130139409A86,SHA256=3DC540BAFC9625F9436005406BA602E2E9001C37AC9C434CDC3EDBFB79FBAA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049324Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:21.604{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F695AFB9DAE1FE2BE7FB81E25914ED07,SHA256=F77D89392031D1051D75B75834195A62BF1C5BF8C1152114EF3304240DA803F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029947Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:21.328{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8E6B6F53BE3353AE84F723A11C5A62,SHA256=5F849759B7B246D8E143D461D1DBAAEDE1C255E5CBECB4DFCCB1B1B376A5857F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049325Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:22.620{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C96D5EDAF621442BC3BFFCB2DF8EC0,SHA256=91A3D0CA2A8A7F072191B66DB6C2E59C882B7FB61E4F97C699914EE04CB6E3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029948Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:22.328{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1868DCE714BB30B4AC1A7F227A035250,SHA256=1A3F605D14BCD0AF3C9F000B1A21928EDA62040FA56A40B8679F268177EA7D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049326Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:23.635{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A09FD3E27703C6E424C41B2459BA2E,SHA256=C60048D81B399322F3C6B48BD64BFD7464398AFF54409A857F5DBF8916C54E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029949Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:23.328{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A81CD10730B4AB6B6A02DFD3826201C,SHA256=75C269DDAD62E7E7B29C177154B96EE8878147B49B444894EDB38BAF6B5DAA7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049328Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:21.814{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57490-false10.0.1.12-8000- 23542300x800000000000000049327Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:24.668{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD8BE46D316E2FEAB3025663CFB65A0,SHA256=47579B797E45E3273B19E8E7171A7DCECDA875A2218C06B13F1BC35AB911BAFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029951Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:23.025{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029950Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:24.344{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74646F8080C015AF45723665E48B39CD,SHA256=E09C6CF816383CB163D5B8992D9115AC5EF955033C71457FA5021496D2EB06EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049329Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:25.687{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD954F18B7CDDEF8D67725B92221D56,SHA256=9D2155DC3D68E1D298AD440ED929DD0116CF81E68EB0345232169E1A83F5757F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029952Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:25.344{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C8B7D5DB3CD2C7A6A98878122FB001,SHA256=21F0E0FE98364677D10F5C479E5A194EE97A936CA915A4B82179D5F1BBC823A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049330Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:26.718{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AC645A7FF870FF339F7AAB7D3E207C,SHA256=8D7E66213535515287A9F851F3AF9A63542AC52417DFFA500DE7B26C397B2762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029953Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:26.359{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E0A57D812D97BA9D6322486E4206D8,SHA256=6B4FD947B6AC369E1F85118B65CE23FBF932320717A3EF356EA6D4F97AF9715A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049331Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:27.733{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B408AE20BD8CEA6BCEA94385D3DC246,SHA256=AD9BE1260D0F5CF233EEA6C5A6EAA7F97895F8FDAE4116D87F409527D4E8E724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029954Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:27.422{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B9C956A4331D36B6636A75C60BCFA4,SHA256=6D0923E91E3E37A63D2AEEDBC647F27968C5F3261C3203D0DAE78BFB71D9A60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049332Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:28.748{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA5E7B36544F594F61E81F7F4671F5B,SHA256=8A052EA1A687DA1CDAEDF4C9FF8B06055EC70069E782A5957F4F31AFCEFEFCAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029955Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:28.453{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB25D80BA659C68930E32A45E91E3F21,SHA256=6D954BC76559A46DDA46B9A8368D96476BA7F04466FFFB890503879B5A53D38E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049334Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:27.696{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57491-false10.0.1.12-8000- 23542300x800000000000000049333Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:29.766{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A678AC0461F74A028DF15CE22C4E75,SHA256=E4D50D22B28CB225BD24A8493349BABAB6C1C529C37ADA71BECF918B08AAC4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029956Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:29.484{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB47FE2663D8BBF5A72B72AE5AFA79A7,SHA256=57EBAA84C73B1C410632779B7C4034429D5F7DDFBEB071F38E5117E3E2C23D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049336Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:30.816{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049335Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:30.785{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889211EA0C5423D65972D7A30139AFD,SHA256=488EAE052B825A0DEE5E004294F218C8D9475E8C6A9962890F434625F6582948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029957Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:30.531{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CFAE20633AFE172AAF7C4CE8D76A54,SHA256=A42F5CA8AD627E896F0058478964D54BFF915DA8EC2FB39E3818029FDA19688B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049337Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:31.800{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41000CB49BDE1940905A79F442848AD5,SHA256=CDFE568F0CC0FCA670EFDE4F627027C518D4D69516FE358A94C3722559393636,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029959Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:29.009{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029958Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:31.547{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A633D1B2BECB34A7F589090B00B618,SHA256=855379C4499643E9BC7F25F09DBEC6908D98BF0832C767A1CB8AE858A8781141,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049339Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:30.396{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57492-false10.0.1.12-8089- 23542300x800000000000000049338Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:32.815{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEA13CF3660F28E7EC00E87C64CBBB9,SHA256=D0D3B3444FE0C57BFAB54375BCC0826F44A6EAA1F3CAF2C6D6467829D292A61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029960Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:32.578{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE809F15129A43EF0BB9AF365BD85174,SHA256=BF520650F0CA5A9112E12F55F88BD50EB9CCA183FBCE9AAE7BD40BAEE35F0889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049340Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:33.846{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34E2884A5A8F86D85BDE1BF89BF3816,SHA256=76EC5E9D32C7A57455EDAC0EAA04B322B10F2F700D51B9251B7D119FD11E9DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029961Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:33.594{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF67BD565D5AB9F6106049CD00703BBB,SHA256=11F0A4EDF8FD31E3B70C1BA4B932D70C79AE5F037EB414EFDA81CD8E5522BD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029962Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:34.609{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB51628CAEE39768B16C2F96F5EB132,SHA256=F89F75F5F281058205271F03A3009AD2F43B30EA9DBC1817C29931CA86AD97AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049351Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:34.883{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515E8EA97207F62C912305E19AB4EB8F,SHA256=CE0D9B731688429A8399B0DACA346F8CDCC2B1FBAF5F1C902B2F1426BAB95CBB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000049350Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:05:34.546{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000049349Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:05:34.546{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007542fb) 13241300x800000000000000049348Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:05:34.546{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31f-0xe06cd486) 13241300x800000000000000049347Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:05:34.546{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a328-0x42313c86) 13241300x800000000000000049346Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:05:34.546{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a330-0xa3f5a486) 13241300x800000000000000049345Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:05:34.546{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000049344Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:05:34.546{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007542fb) 13241300x800000000000000049343Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:05:34.546{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a31f-0xe06cd486) 13241300x800000000000000049342Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:05:34.546{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a328-0x42313c86) 13241300x800000000000000049341Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-SetValue2021-09-06 14:05:34.546{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a330-0xa3f5a486) 23542300x800000000000000049353Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:35.913{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F65DB6FAB912F930F7EC71900A0E5B8,SHA256=DA993225A064F8F29463E919179C543873867DFFCC3DCC6F7321D0FCE0EC1EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029963Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:35.625{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEA4BAD9048ECD9F51FC6BEEC3F4B1B,SHA256=55CDCD26206CF936E148A953E5F78C77172D11E1F65E462A8423538336CB27A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049352Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:32.741{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57493-false10.0.1.12-8000- 23542300x800000000000000049355Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:36.929{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18747E8CEC643AFF9058CFC1A506ADAC,SHA256=4E7B508E2D9D6FE0748C47B54F7A60B271F2A687CD6EEF3DD5AAE47460E9207D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029965Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:36.625{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB94949C0E30B3A0083801D536A6B09,SHA256=220E448F99FCF4EE4E8869F5BF65C36C257B144C486A4B2346B82187187C33CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049354Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:36.429{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0DACF3DB69125F9346F95EB259B2565E,SHA256=C3C40EE25319E742A67E4543DEA063F09B690313CC2F61FED691A5C35C8FF9C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029964Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:34.103{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049356Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:37.944{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF6BA5025BC8A0EE3CE2B1FE771AF79,SHA256=768B151B83C234F4E900D5FC300CC4985A6BA2FE25BC3896003B1A54C985CE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029966Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:37.625{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9376D9A69B2B51AB9BCBA6A40E6316E4,SHA256=4DB7D4747043430FB2AE9C241272920EC62E824D9F5FA564F18944F05F11A2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029967Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:38.640{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF478F930FF3FB6141F779D8E38C656,SHA256=33BDCE2C3B50910695F7AA3504DA353763354715285A6BBB96077AC209170503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049357Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:38.981{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF967D00F1BE7D6880928FE037842DA4,SHA256=1EE7C5409A67C4426409748AACF78D0FD642D506C76059FE75DAA51C42791A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029968Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:39.640{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE870A7F64AAF8CFDCF1984AAD5374A6,SHA256=187742EBD5A2915FFBC8AAD36ABF909FFDFA5CA494F804E9B14DFBDC64C982F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049359Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:37.776{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57494-false10.0.1.12-8000- 10341000x800000000000000049358Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:39.496{323FE7D8-022C-6136-0B00-00000000F001}6245660C:\Windows\system32\lsass.exe{323FE7D8-022A-6136-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000029969Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:40.645{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA1583EEC20EC1E69023B3BFC49663C,SHA256=5AC88C7E9914DBB01C603E47DA061DAC2F4023CB9680485D4FF20F33A409E1B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049371Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.664{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=42D6FFFDD5DC3876CDB8FFC23092425A,SHA256=8CCD13F9CA6B30CDB32F5EFD626644F580CFC59B4C3C382286ECF0A218CF867C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049370Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.642{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=E284515ADA60680BA73732CDADEBFC09,SHA256=5E172580D6FE76B694B328706A2000A9AED2E926B631A0D77AE37EC88A3B3670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049369Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.642{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=E4202B8533634CBFFA809BCB9590D549,SHA256=F3D8999B49CE08FCF8C847873186DC484609BF8B273E860DA9E99736A5040571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049368Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.642{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=93A5F704ABFEE8EE1A9E15F4BDA1F80E,SHA256=F39428390960FB6491F8ED5B483F927102504E63756795629BF0251CE1AF02EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049367Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.642{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=5B928F2860EBF7D2D0FF2097819BED18,SHA256=CAE2EC3F92CC84B973F293300FB78D21DE910417DD44D9733D1D520FA52E0906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049366Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.642{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=D5F33039786A5DA8B2444E335A802943,SHA256=E38E145D4DB7B8F75F56C5DE02A1260569CD62A30423FB19619A3B467FA86A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049365Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.642{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=B389E63270D8F7EC8DB9B98B6F2D704C,SHA256=ED5A8111756E07859F330B880D018CB48AF8B1FEA591CADBBAAB28959AAFACA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049364Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.642{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=152FDF00B2245D94FBA7442371F2D318,SHA256=ECE3651B14CD112B55A0CC2214D16D6EB3C69AD5E88411D3A3F995F20FF1ED68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049363Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.642{323FE7D8-0617-6136-F403-00000000F001}4476ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\c5ep525d.default-release\datareporting\glean\db\data.safe.binMD5=8CA40766C636A79ADF02B8ABF7D62640,SHA256=20BA789AF93FFD2089F90B9261A672DBEB455060DE9E1BA5C4626BF07AD60A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049362Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.411{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79E629DB16DD472DD7356094F8BD1050,SHA256=624C24B80F4D0828819A9ABFA5C911AD959ED139D3788DB2F9955DC4C88A0127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049361Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.411{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09A8FBFF3C4592EA0D1AE68EACA54E83,SHA256=9DF5E03DC0FCE69418457816EBF12F64C1734AF68D6328B754FDC9480CF49453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049360Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:40.011{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FABDCE51D7CD2C576A1424B33DDDEF,SHA256=C9D22DDAA6FFD48A28E372CACA8973AC484D3BA4631D402797629BE45A3D6168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029970Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:41.645{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D93B873E47ABEA7BE6EE357851E6037,SHA256=706B0588A959768CE1B9CC5D75694C295A6953BD50BB2242BA74E9DECE3D38EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049378Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:41.026{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DB6376AD14B2DABCE1AEC2AAB08AF6,SHA256=368CDDC31FD62DFBA77BD8DF847443354C040344C2885E4252850984F1F7F759,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049377Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:39.094{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57497-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000049376Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:39.094{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57497-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000049375Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:38.990{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-456.attackrange.local57496-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000049374Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:38.990{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57496-false10.0.1.14win-dc-456.attackrange.local389ldap 354300x800000000000000049373Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:38.979{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57495-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 354300x800000000000000049372Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:38.979{323FE7D8-022F-6136-1600-00000000F001}1308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local57495-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local389ldap 23542300x800000000000000029972Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:42.645{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8A26929C23A7C2874CFA35E1DDB578,SHA256=D25D1726A98CF963F80F4BB908322FF08453C46FA9409AD32FD55866140703E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049379Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:42.042{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616A89B38C34857F66969808FE112998,SHA256=77ED62913C76AD7B500E29808F8DD0B8866B633064BC9D34C4C6BED5BE7361D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029971Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:39.905{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029973Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:43.661{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69533DA14EA42A8B6685657F17F65FFD,SHA256=5DCC76AE91CF99053763CF9FF24E2BF4C03682F2B27E5C6A2BC9F49E42BAE8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049380Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:43.061{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71601A13BFC542A0A4F15E2AABE8B24,SHA256=928AA7BE5FA6875A6F0775BE8C3F7C05924AF5337C4E4BE7072726ABB4071DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029974Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:44.661{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F669168B1D4E2E01D312522B0BE4EB,SHA256=C9DCFF22F9A8E57C59D8D52A5AF9BAF1160B6E711BE96D9E98603355ACEF3376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049381Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:44.078{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF927BD11C1E0263F592771D71D5E5C,SHA256=61DADF60330BC179F1F48B02B17341C9FC46A77C817374DBE6D1F4FBC521ED11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029975Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:45.676{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE542AA69C5ACEAFB935DDCC5FB16B14,SHA256=74EDF96293B74CC1723DCA8BF9D57646FAB00A6DA302FC987E7B1A95CAD37535,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049383Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:42.851{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57498-false10.0.1.12-8000- 23542300x800000000000000049382Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:45.093{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9878BF18CB383EB7D6F34D447C7850D5,SHA256=DBE537E7D2620E7F9EFF87378C9ADDF3612DF049663869E1C4C8859254622986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029976Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:46.692{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A74932002B7DEC5E1F1274046A77605,SHA256=8787A31772CAE00AEEB1804ACA8D23E99F33E76CD023165617D69535BDAC0CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049384Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:46.108{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AF01863F11B08E8AD4E94EA2D6228F,SHA256=4827D67F901F8C7CB78C531A91C2EDD0AD8CF29B102021D53BA67A7BD16F69E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029978Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:47.708{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0839721D3EF4A5526FD64F36BD35BC,SHA256=56990A1218A05CB7F80C7953D7F95FE56055EF8C1F2C2AB9417044EC3AFC403D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049426Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.538{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049425Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.538{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049424Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.538{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049423Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.538{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049422Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.538{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049421Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049420Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049419Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049418Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049417Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049416Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049415Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049414Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049413Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049412Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049411Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049410Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049409Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049408Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049407Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049406Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049405Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049404Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049403Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049402Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049401Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049400Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049399Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049398Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049397Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049396Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049395Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049394Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049393Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049392Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049391Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049390Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049389Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049388Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049387Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049386Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.523{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049385Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:47.139{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFAC03A02463C4115663F3DC820157E,SHA256=4E34AB5AB988A04D8C0D0B2284AE8A39818F83B266699EEEC149611C375100D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029977Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:44.936{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029979Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:48.723{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CEF26551F06B66D0A48050530844A5,SHA256=A07055241774B1A82B524118FB7E2DDFC1DDB4606CF815745DA6AC6740AF0DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049427Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:48.591{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009E07E38355B991BA3F319EB033197C,SHA256=83333A85FB29A2F3B8BABDFF193B06461C542FB8016C9087132FF1CD4BEDE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029980Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:49.723{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F868F6B324F17C1214CB4A4DCAC05A03,SHA256=7576B8CDA19946F88E49BC2FB07B3E440C948C489D2DB042D50EBC4BEA8088D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049428Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:49.606{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BD1820C084EECC028AAB422FF06AED,SHA256=34C9C68F3962157D997EC8B0D7A634C42B8EE0344B341FACD899DDE076B3F7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030006Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:50.739{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03201242DE12814ADE9CED0F3E3669B,SHA256=9CE30AEA3813BA45C5F41D91B045594821494D3DCABB1708AD01E0D3B0A609D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049429Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:50.637{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7ABF35775D748AEFA7D31DBAF756FF,SHA256=5B3F21D00BA864874403018B741F2D8FC1D0A9885A091E2298393E262CBB41D0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030005Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000030004Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000030003Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000030002Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\FlagsDWORD (0x00000002) 13241300x800000000000000030001Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\TtlDWORD (0x000004b0) 13241300x800000000000000030000Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\SentPriUpdateToIpBinary Data 13241300x800000000000000029999Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\SentUpdateToIpBinary Data 13241300x800000000000000029998Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\DnsServersBinary Data 13241300x800000000000000029997Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\HostAddrsBinary Data 13241300x800000000000000029996Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\PrimaryDomainNameattackrange.local 13241300x800000000000000029995Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\AdapterDomainName(Empty) 13241300x800000000000000029994Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\Hostnamewin-host-353 13241300x800000000000000029993Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B34B41A6-945E-47C4-A79E-21712ED67E35}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000029992Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000029991Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000029990Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\AddressTypeDWORD (0x00000000) 13241300x800000000000000029989Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\LeaseTerminatesTimeDWORD (0x61362e4e) 13241300x800000000000000029988Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\T2DWORD (0x61362c8c) 13241300x800000000000000029987Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\T1DWORD (0x61362746) 13241300x800000000000000029986Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\LeaseObtainedTimeDWORD (0x6136203e) 13241300x800000000000000029985Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\LeaseDWORD (0x00000e10) 13241300x800000000000000029984Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\DhcpServer10.0.1.1 13241300x800000000000000029983Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\DhcpSubnetMask255.255.255.0 13241300x800000000000000029982Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\DhcpIPAddress10.0.1.15 13241300x800000000000000029981Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-SetValue2021-09-06 14:05:50.458{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b34b41a6-945e-47c4-a79e-21712ed67e35}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000049433Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:51.657{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA89C1A5D6016EE10AFC596CF778E572,SHA256=06F373B28CB5D30FCEFBBC965B45BB49D047260D4ECF3875F22BFB167B64F9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030010Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:51.770{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4550D332A128A9F983472855DC778DC0,SHA256=48894C35F1EC8309CEC886D4BD66A99AAF230A5D63EA645A7CD719B9DD6C8BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030009Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:51.739{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE43F612C4F21005704DFAC28E746E9,SHA256=E28AFCF023CBFE0695AA249507B9AD593C24DBD96FB3FCA3357F6D1DC629D46F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030008Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:51.473{FFF7FB96-041D-6136-0B00-00000000F101}6282504C:\Windows\system32\lsass.exe{FFF7FB96-041B-6136-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000030007Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:49.967{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049432Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:48.732{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57499-false10.0.1.12-8000- 23542300x800000000000000049431Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:51.275{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1D60A533A06996E3E7E8B29F0AB8AE7,SHA256=CB0EA8314F39DF71316C163F382F2E35DB8ADB86D4EEB9A260E018523201E696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049430Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:51.275{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79E629DB16DD472DD7356094F8BD1050,SHA256=624C24B80F4D0828819A9ABFA5C911AD959ED139D3788DB2F9955DC4C88A0127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049437Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:52.674{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E67F6D1BC296D5BD752F93CB6C5E1F,SHA256=D4DEBB20E232A3AB6633411D100A38B1CC47C8FD08E7CBBEBFDA896F648CD09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030015Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:52.740{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F30EDE8F7F3788E7E7F970F59C09E0,SHA256=74F24B595D79AE3F33CBD6FCF8934C51F619DF8800ABF8BC0DD2E0F07A14583A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049436Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:52.537{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1D60A533A06996E3E7E8B29F0AB8AE7,SHA256=CB0EA8314F39DF71316C163F382F2E35DB8ADB86D4EEB9A260E018523201E696,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049435Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:50.096{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal62633- 354300x800000000000000049434Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:50.094{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal59107- 354300x800000000000000030014Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:50.322{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c880:c40e:829a:ffff-64180-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000030013Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:50.322{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:d094:a345:fbac:b572win-host-353.attackrange.local64180-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000030012Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:50.311{FFF7FB96-041E-6136-1200-00000000F101}1020C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-353.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x800000000000000030011Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:52.289{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-116MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049440Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:53.675{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2471E8452872BF968ECA643AE0BAE914,SHA256=883E62B875869F83CEE4AD344502F0E07B6087B8DCDF758FC774C7E5E20ED6AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030018Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:53.754{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6313D71942713CDCC8DB47F5F7AB47,SHA256=9231CC08A62D9E37A648DE1506C4DC99E30A542A2966D15AA66D149BC6F71F10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049439Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:51.101{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51193-false10.0.1.14win-dc-456.attackrange.local445microsoft-ds 354300x800000000000000049438Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:51.099{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60627- 354300x800000000000000030017Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:51.330{FFF7FB96-041B-6136-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51193-false10.0.1.14-445microsoft-ds 23542300x800000000000000030016Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:53.303{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030019Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:54.758{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5381EB22D205850BEBA6AE160559E29,SHA256=E5BEF0405DF8749070E9BDD731B3592A6C003C57795EC330F7331CA5EC6D6485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049442Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:54.691{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C98A51F65EC8BA0A027EDAEB3F0164,SHA256=0B78B7F4746F0C4FC1D200DB1D61047A536AE228698BFC1960119A16557CA7B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049441Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:51.958{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal62288- 23542300x800000000000000049443Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:55.706{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D105436B1FD01C249038EFF91A01FE,SHA256=D748B20BD563D37DDED51E1B9772BEA83F2814F2FD5F83ED221100F5D41CA21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030020Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:55.773{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4DACAFD91D013B8252F88BC5EFF9C0,SHA256=B7FF9433DDB9F9912A5DC6001F25DE82B6CBC106A4A73C8F8EE466C715E49CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030021Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:56.773{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90BE00280F336086D53359C7A74F678,SHA256=D8DE95FC27CB0A0B980B55E60C35C7D29356356306D266D79B9088C9EF06BE8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049444Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:56.739{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42CD22D71FE865DB623D95E9D1D797B,SHA256=15D19B6BD9CAB5CC1991080CB1C753A7C3AADBE5D40EACC8FF73977DF2948D39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030022Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 14:05:55.939{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local51194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049445Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 14:05:54.748{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local57500-false10.0.1.12-8000-