23542300x800000000000000024653Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:35:58.691{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754B364EE577CAE31528ADF09ABB5CFA,SHA256=D195FA48AF2B393353179D79EB9BA56DB3ED5353CEAB41DBD9593E7FCD8F7D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043599Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:35:58.667{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133DE2AEC6C1925B5A20745BC9B24BB9,SHA256=1E72E044E4703E04277665685C6EDC49C7ACA985A0B3796724C2FEF0B4F52F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043601Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:35:59.685{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B306622C0BD3E358A9366E674CA17C3,SHA256=89F0F8EB28947B487FA67B695FEBDEF554C4277CD092751B9F6CF3367A799525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024654Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:35:59.691{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCF40759218BE898ADE05577604FCD2,SHA256=B4EE4FEB61AF2BC4EC63DDB5B38F6D89B91A6463DA452DC6A1DBE523C43A70EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043600Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:35:56.843{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51570-false10.0.1.12-8000- 23542300x800000000000000024655Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:00.691{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94ADB179597204694D35BFDF0D5A85C,SHA256=F05FFEC94A0D974C49C95D900A7612179083955533430FF87F6480D6C7563ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043602Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:00.716{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197DA1B6FECCBCFE37EC07C73C3E426A,SHA256=7E5EAFAD576927CE2CC8A6FB4ACBAC4B6507A7A01AAA429375BBBB104F1B8B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024657Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:01.691{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D843188A94E9DD8B432B43A0AD5DC9F7,SHA256=CFEE0D9A4123A054FD5BF547D7C4B74DAF23C993F765D01EEE952815F92BADD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043642Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.764{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B081736BA7AE366E20CC2357E416F1B,SHA256=72B2EBC4CEEB93D36A4D83D3808569CB167B26CBEA89F696597A98E55CDB7E2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024656Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:35:58.975{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000043641Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043640Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043639Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0549-6136-8002-00000000F001}5500C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043638Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043637Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043636Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043635Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043634Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043633Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043632Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043631Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043630Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043629Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-0547-6136-7E02-00000000F001}5276C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043628Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043627Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043626Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043625Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043624Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043623Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043622Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043621Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043620Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043619Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043618Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043617Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043616Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043615Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043614Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043613Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043612Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043611Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043610Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043609Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043608Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043607Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043606Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043605Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043604Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043603Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:01.516{323FE7D8-022E-6136-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{323FE7D8-053B-6136-6E02-00000000F001}4440C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043643Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:02.799{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367560B3D67AA373E090259A992354DB,SHA256=08FD5B1B87B9BE077ED350BFF1B09F647F7278DB206F9C721789158CA69EAA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024658Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:02.707{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB331FBE9B97D6FE68DCB05E1D8E2D6,SHA256=6952D89ADEF3F259CC416D29032F8B7ED8FE59D871C2536AB18152A5D133D80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043646Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:03.830{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9A7AC878152CE557362CDA6F66ECDA,SHA256=9F915B3239C570C774894204BC93068ACAB5E66FF93AE4634327B42EC6F89354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024659Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:03.722{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924D17AE635C027B0F0916692C7FE47E,SHA256=D1A368AAFBED9BE9388965E7595548E5B8B8AF085EBA103C3B4FBF12A6B08D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043645Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:03.299{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=055879BDA4F601FBB7B50EB470046C62,SHA256=4734740FFF25C6EA2B5BC77C0347E4FB282E6A26057863659595246974F1D8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043644Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:03.299{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F627EFE3B0E91B8313514819C808DBEB,SHA256=E75DAD34FEEA7C8C6613C770B613E28AAF17B3C34ABBF7F1629753A51E419BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024660Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:04.722{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A273E7D1BAA6EE11237ACE4D970E8304,SHA256=E4C1A888C5203C7010B2C4EACF4D08EE87ADB7102368ADA0D7120C6C6C4A2577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043655Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.845{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904EE9A33E928972EE23D1CB5DAAF0C7,SHA256=7D17F50631D04ED6512EF3E1F55E6054EE2878C1936B535266BA914DDF757B95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043654Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.566{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1944-6136-B508-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043653Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043652Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043651Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043650Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.563{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043649Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.563{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1944-6136-B508-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043648Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.562{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1944-6136-B508-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043647Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:04.562{323FE7D8-1944-6136-B508-00000000F001}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043675Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.866{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAAB3F4BC84633C67700B2F79FB0C99,SHA256=B884AA5C9C8BF895FB841C86EB313212C3A547BD074E0A801FEA3431033F77DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024689Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.832{FFF7FB96-1945-6136-2F06-00000000F101}6762640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024688Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1945-6136-2F06-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024687Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024686Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024685Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024684Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024683Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024682Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024681Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024680Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024679Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024678Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1945-6136-2F06-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024677Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.629{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1945-6136-2F06-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024676Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.630{FFF7FB96-1945-6136-2F06-00000000F101}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024675Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.582{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024674Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:03.991{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50835-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000024673Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.144{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1945-6136-2E06-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024672Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024671Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024670Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024669Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024668Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024667Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024666Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024665Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024664Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024663Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1945-6136-2E06-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024662Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.113{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1945-6136-2E06-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024661Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.114{FFF7FB96-1945-6136-2E06-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043674Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1945-6136-B708-00000000F001}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043673Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043672Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043671Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043670Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043669Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1945-6136-B708-00000000F001}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043668Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.828{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1945-6136-B708-00000000F001}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043667Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.829{323FE7D8-1945-6136-B708-00000000F001}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043666Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.582{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=055879BDA4F601FBB7B50EB470046C62,SHA256=4734740FFF25C6EA2B5BC77C0347E4FB282E6A26057863659595246974F1D8B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043665Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:02.609{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51571-false10.0.1.12-8000- 10341000x800000000000000043664Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.413{323FE7D8-1945-6136-B608-00000000F001}62402856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043663Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1945-6136-B608-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043662Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043661Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043660Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043659Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043658Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1945-6136-B608-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043657Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.213{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1945-6136-B608-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043656Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.215{323FE7D8-1945-6136-B608-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024706Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.832{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A420E2564C94992A09DC21F2D6742F1,SHA256=FD366E5073DAF5212724ECB6E03704ECD5A2C152C9F7D445C8E4FCF654602FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043677Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:06.881{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DF6B4E9C736452B87BD94A384CAC0C6,SHA256=27417EC0035B9B1F946F2473B282640A839DBFFEED3022904F7886081AA30112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043676Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:06.881{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BCA29C5592C1DA62709D096B684527,SHA256=04BDFB16D35D0E42DB2A4EE1ADCE704364064385CA83CE00EBF29F39C53BC5FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024705Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1946-6136-3006-00000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024704Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024703Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024702Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024701Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024700Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024699Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024698Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024697Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024696Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024695Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1946-6136-3006-00000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024694Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.238{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1946-6136-3006-00000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024693Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.239{FFF7FB96-1946-6136-3006-00000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024692Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.175{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB9406A8C39258BDDBF56E3E9B2E6BA0,SHA256=31A746E1C0BEC6AD648466DB2D5E10AEEC5EDA1CE88C6EC373B6533F33104188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024691Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.175{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E17652426DD274E60B5BE6263660AA39,SHA256=3C69CA7D34626509B402BA893C73144734CD1761D355FD08DA5DA1EB4F2C046B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024690Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:06.019{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344A1652EF7DD42995ACADC42760391F,SHA256=A494EDE3A9615172E550146CC09847ADAEDB58714A44AB1F075FF78C78D0474B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043680Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:07.912{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA4D61703F31112C7E53DF13BD2206E,SHA256=CAB1854F07F4D2728A4EACD459FF1DB70B4248D22AF0D9FBF618736626234F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024724Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.870{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE860FFB39A057249845BEABDB2AC4B4,SHA256=7564FAF51D4B90F0921128C5E4A6DDE1F991F9FF9F7C2FD1B67B9C3872AD2088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024723Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.865{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-087MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024722Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.644{FFF7FB96-1947-6136-3106-00000000F101}8003228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024721Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1947-6136-3106-00000000F101}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024720Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024719Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024718Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024717Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024716Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024715Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024714Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024713Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024712Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024711Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1947-6136-3106-00000000F101}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024710Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.488{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1947-6136-3106-00000000F101}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024709Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.489{FFF7FB96-1947-6136-3106-00000000F101}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024708Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:05.413{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000024707Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:07.285{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB9406A8C39258BDDBF56E3E9B2E6BA0,SHA256=31A746E1C0BEC6AD648466DB2D5E10AEEC5EDA1CE88C6EC373B6533F33104188,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043679Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.123{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51572-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000043678Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:05.123{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51572-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 10341000x800000000000000043699Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.946{323FE7D8-1948-6136-B908-00000000F001}17006936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043698Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.915{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAD327DC5BCCF1FE54335640B89D5A8,SHA256=8ACD4E8A56199B1F8BAB61583842D9E0B02B1BCEC11E568A6F0C49251BDDC384,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043697Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1948-6136-B908-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043696Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043695Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043694Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043693Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043692Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1948-6136-B908-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043691Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.746{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1948-6136-B908-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043690Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.747{323FE7D8-1948-6136-B908-00000000F001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043689Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.300{323FE7D8-1948-6136-B808-00000000F001}58161168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043688Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1948-6136-B808-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043687Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043686Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043685Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043684Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043683Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1948-6136-B808-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043682Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.080{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1948-6136-B808-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043681Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:08.082{323FE7D8-1948-6136-B808-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024754Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.908{FFF7FB96-1948-6136-3306-00000000F101}8041628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024753Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.864{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-088MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024752Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1948-6136-3306-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024751Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024750Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024749Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024748Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024747Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024746Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024745Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024744Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024743Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024742Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1948-6136-3306-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024741Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.738{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1948-6136-3306-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024740Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.739{FFF7FB96-1948-6136-3306-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024739Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.722{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39595E3F70E5980DEC0B486C130633D5,SHA256=BE749E600C10CA24CC02BB176D9817F41FCD24745802CC7376E550AE372EAF11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024738Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.301{FFF7FB96-1948-6136-3206-00000000F101}7202476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024737Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1948-6136-3206-00000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024736Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024735Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024734Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024733Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024732Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024731Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024730Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024729Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024728Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1948-6136-3206-00000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024727Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024726Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.113{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1948-6136-3206-00000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024725Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:08.115{FFF7FB96-1948-6136-3206-00000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043711Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.921{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228A59506E1CFDCEE652C34FF870B2AA,SHA256=CC1193ED0047BC8DF2345037B0E8FA94E6501210F4533EDDE566321107117C5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043710Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.673{323FE7D8-1949-6136-BA08-00000000F001}1003760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043709Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1949-6136-BA08-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043708Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043707Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043706Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043705Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043704Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1949-6136-BA08-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043703Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1949-6136-BA08-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043702Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.415{323FE7D8-1949-6136-BA08-00000000F001}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000043701Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:07.852{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51573-false10.0.1.12-8000- 23542300x800000000000000043700Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:09.099{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D9E3D04E6D7CD0828AC52621BC8B204,SHA256=A34BD213A6963408EA92C8CDD8E5A965DB43D114028668FEC91A0BCFB2E3CC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024769Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.739{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18C1CB04D1B4EADEEEC00DFADFEEB3F7,SHA256=038C2346C98B80E2E715A27E51469C788C75E1440B229E340BD078BBD81A5A6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024768Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1949-6136-3406-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024767Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024766Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024765Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024764Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024763Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024762Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024761Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024760Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024759Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024758Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1949-6136-3406-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024757Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.410{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1949-6136-3406-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024756Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.411{FFF7FB96-1949-6136-3406-00000000F101}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024755Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.079{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A559B0D29ED6BFE6232CA1D3FB6E2CE,SHA256=943B84665195038190CB732EABA40368AC28546927572F7B1C7042694917F1B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043721Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.924{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC32CA7A7A6F62B70A22322505560FE,SHA256=BC0D69677A8B1841D65C69F6CA3C909ACD81C523309B599A0272EA39D1EDC844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024770Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:10.082{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352FA6FCBB22659C93D9E30F0BC69C9D,SHA256=11CA5BEA6CA937729EED4FBE561956FDB5E3EBB52960F648694EE33944D51E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043720Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.424{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F97484470144DF335C9B02AC8FAF784,SHA256=D338F09EA6967C1632FC4497DCBCD69733144D398E86832E8477DDD5ACD3CE44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043719Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-194A-6136-BB08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043718Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043717Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043716Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043715Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043714Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-194A-6136-BB08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043713Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.105{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-194A-6136-BB08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043712Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:10.106{323FE7D8-194A-6136-BB08-00000000F001}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043722Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:11.954{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C839C5AA03EE2AB4EBF5C5F92538F4,SHA256=2051DEEEB7B3E1F1EF0D899C99EB967E9DDBD75BA9D2FEE8A6C9BD3C835FFC2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024772Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:09.960{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024771Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:11.129{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2411B458B0E4DC04CE7941172BA4BFF2,SHA256=7E07CC07522B9BA688E3790127BE00227D4CF1A1C4540554EC5EC06C77B8223E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043723Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:12.969{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F9E55AFE0A79BF6ACBACD60B33751E,SHA256=F577B9625F1EB97D95CD203178AFAAC17705E79F1CED709EF46DE6A051934469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024773Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:12.129{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B921942AABED6E34BBAB122087C506AF,SHA256=B58F824C96A99919F6DE8E503B7AC36722258219B581F14654B749C188752EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043724Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:13.987{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E676702638F9057796105C89971B02,SHA256=1EA749DD11C1C8F5720444BA1715E72BE4FFFB2FB40EC39B6EDF0838FA496D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024774Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:13.129{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05CBFC5D82E8861CFC578E9F9D06625,SHA256=04A8CFB8919D0BB6FFCC4678403C165E2CB1F140623BAC0C34E9AF5583BB57DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024775Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:14.144{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FB360C03B4AF580D53877AAC0274A9,SHA256=C1226AB67B6BE1284B1BC643B34F09702BE3AB2859AC025B5C663E31E16426CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024776Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:15.207{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179218E96E7E2BAA2E8130E699B1E1BF,SHA256=8889935C7DDEC208411FF3D5D1F79D19F9CF53EC4D405FD67993579F5BA90210,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043726Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:13.601{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51574-false10.0.1.12-8000- 23542300x800000000000000043725Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:15.005{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8449FC1F5A57DEF74606349BBA477C44,SHA256=B47E0948E483FA35A3C7589596F40921F826E0D61391E33C25649491B5A10486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024777Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:16.254{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7904B16ECF306305B3FA6CFE7E1C7D4,SHA256=BECF9BE70855FF09B28D80DBBBF6BA5C41A27E7CD23F0018E394E03DBD267E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043727Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:16.020{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955B41A513D223D15E581BC37F980FB1,SHA256=2A2800EAEDE82EF77A462B09D5EDA4578B81515140DBCC1AA773CDA33C20E854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043728Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:17.051{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E6C061E9456E50DA2970382310F8D2,SHA256=C214448565E37217BA25385F0F576F196D8CC2A858BF20ADA8AEB6973F2DB2D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024779Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:15.960{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024778Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:17.285{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D77685CA0D70994DC4263B5E0C1FF4,SHA256=A764890797522FF49B48622727A5C4612C177870CB8BB97CCC0582E9B6EF6192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043729Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:18.083{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F8FCD0C6808C541144AA268EF2A982,SHA256=C6F0202CB4132E1080FF2B510951AF0B476F37E6FF3FC8B2EC7FCA5A3B0F83CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024780Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:18.301{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35917126C8C9EE852711ED11090B1C4,SHA256=B6509A5ED226127AF30BE504923DA423BF1F743BD08108D857BA39EFCD6CBD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024781Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:19.360{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD738DBF2871C70823C6C30B3109548D,SHA256=23F8FB4E375845E9B72522038DBD61B130F872C69E92740B6B42067BB03652D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043731Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:19.483{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-095MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043730Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:19.103{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B291F5C18BB31E0F79902D81D10425A6,SHA256=2300D2073F9D608A4D600B14EBE8E3764F4679DEF2C0D3D24A844603D8672821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024782Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:20.392{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED1E3E734C4B7415DC556ECBAFA0479,SHA256=4A82BA765C50F4FBE8D06A7B3FD550E4EBB95A50E32A5961C394A25A80D9622F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043736Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:18.828{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51575-false10.0.1.12-8000- 23542300x800000000000000043735Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:20.502{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-096MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043734Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:20.117{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4B333B3EEF24E1931BC2A33D5B8ACB,SHA256=1D3A0C83B0786A892232E7AC864A2A1A9075AB1E092C282D4195CEC2A16AE591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043733Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:20.033{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33120D223A941700840F61A3CAD468BF,SHA256=C91B6F45A47A5EEFC50BB145F9CF16A812A678E564AFC6219600B5A704C7691A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043732Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:20.033{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C65B2718071C296AC55EC4138C4FD0DB,SHA256=6535AF10D8EA82074DA141CD054D59A7C4640FC003E53B0527BE6A42698449E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024783Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:21.407{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5C071F2C4F5C951E3411A1876A10A2,SHA256=DBE1F91ABFB328DA585D815182BBF56CFDE934FF2F5BA4D2492F87325788BBD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043738Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:21.600{323FE7D8-022E-6136-0D00-00000000F001}9042288C:\Windows\system32\svchost.exe{323FE7D8-053A-6136-6302-00000000F001}4892C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043737Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:21.132{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418971A3F2D91E6537E5267AA51C5461,SHA256=6DC0A5E8F43769816DFB735BAAA3FF45EF73BAEE90CB649D05533FFF04446EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043739Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:22.147{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DA44D5ED5378E5F45A7F727F63EC8A,SHA256=EC420F5D7A203C6C2A7116B6E012BC5008C1B6B80C010E5433338A558A64EBFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024785Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:21.020{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024784Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:22.407{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82607416A02391A860AC45ACFF106E91,SHA256=1FD881A9FF66F785A026A30215F5F204957820E2F4991E3087666823CC954C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043740Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:23.179{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D860D55ACD1A60481EFA6391F89409A,SHA256=94DD64852BEE8ED07620A9127E4235C1722BE4F99D853B5E5234D06EEAE6E798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024786Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:23.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72052055E4E452979A1D4E5115D54EC,SHA256=F5710E5342E1B0ED969CA1F8F5EC2F01509FC90A9BD824870DE84D91482351D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024787Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:24.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622C7029828F881C9A953D4272DF95B5,SHA256=F3C0C84152DEB7FB594AE7475449BB7B0D9552E23AFA8496628E44C40E72F070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043741Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:24.214{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A38C7490D285872CA8A94F4AD9E722,SHA256=C46CE973F71606AA1E58703DB500F1B7F9BC866521CA63625EF2D84A5AADF855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024788Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:25.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B898C0227797330B9032955B5968DF6,SHA256=612D8BDDC53B5672B91BF4D8BB2578C269CAE2583F47D69D95B847292534E090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043742Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:25.229{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D931B1C1606BD5D77A8C3002EBB58CBD,SHA256=74F7EDD0F1054CF0CB066766C15E66AE08B5AA307E2699F8E3E4E95B406637F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024789Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:26.439{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476149386743B6FCC5339B409EFC8D78,SHA256=E2FFA30A83D936807B968E7EEFF0679CEB0654AD71AEB9317E5921677EAC3E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043744Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:24.807{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51576-false10.0.1.12-8000- 23542300x800000000000000043743Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:26.244{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369BC9FD931EDB8B9C2C474AEFB8154,SHA256=CBE4415D38D7B13BCBE6243D549833D2F695305397322F9E90398B7539393BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024790Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:27.470{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EE5BDC717E0E2C036A3CC2994E83FB,SHA256=F9293468E21DB42F6738F2DE2ABB2703201C4C2F4AC791A06E814698D245CBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043745Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:27.276{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CA0DFB994D206A4B6680D5C1B17E41,SHA256=3C2B10F186852A19540ED5F894039359DF9A35D7D800BBC17F85D57519965089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024792Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:28.501{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA05153AA98FA38FA7EBB91345C87F66,SHA256=E32D40A4C9FBD77D95E6DBB3F21C8ABC525C2B4A05E987A21D17EDA10452460D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043746Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:28.311{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92794DDC90399B39291C700BA58CA1DF,SHA256=BEAE4F52709982EF5CA7B639AF917F052083CEE4AA71906E24985D63A97CDBD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024791Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:26.020{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50840-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024793Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:29.517{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EDD4C4C5521919334781C47667BD02,SHA256=17728DCCF66612519A86200A40800490620F7979FEB96919AACC3B5AE5DEB0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043747Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:29.341{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB270EF50A6614961B1E441DF1424406,SHA256=D831DB30EFB035E3EEB3D630FF710D8553610789FF937BDEE98CD75F7F055448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024794Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:30.532{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A63A0830C6E7E577D4AC829E1494C7,SHA256=462A8249B500DDF17812D2B21D527B11781836F78DC47045D36251AEFEA4E7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043749Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:30.341{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC2CA0D35E75C09C10379A873D675EA,SHA256=C977D840D1BDE9043FBD71EA59B46C12367FF1AA12F21883707F4403E7C6954E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043748Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:30.095{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024795Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:31.532{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878A585F03ACEDB2935FE5A92B0D9058,SHA256=9193ADA1747D5EFFE9B31CCD631F0A1EBC7BF21B7160F4A9E7C57D4A3C56F909,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043751Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:29.667{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51577-false10.0.1.12-8089- 23542300x800000000000000043750Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:31.374{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCD1385BA1EB5E1E37E59D1AF77C55F,SHA256=42DE07BC79DB523CF7BDCE9DF825E83AAE64DF5CE8FDFA66C1D235FD0829C6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024796Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:32.548{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D97EC5997007213014AF546E4C68E0,SHA256=7EC0A6815114393EBA09FC51C4DD4830C0C07A30A17164C6B95301187137B994,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043753Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:30.820{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51578-false10.0.1.12-8000- 23542300x800000000000000043752Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:32.410{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB72FFD21574B14D8BFD6B12C447D,SHA256=8F5FEBF85DEE99C89C5C4EDBACB7389D3FFCCCB5B03E331D01F1EB10C894B747,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024798Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:32.020{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50841-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024797Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:33.579{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41F62FF644D0C6BBBC49CD4CFB6767E,SHA256=B22C1F1ECED8CFE40756C478417ECB4F418057ACF6BF2CD52B6D3FABE1B0AC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043754Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:33.425{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECE5A9BA7B3EF6F6965287458AD8E33,SHA256=1E88AC82D206CD74ADA8A7C223BF8CAF0BCF234E8AAE7259F50D1B2BEBFB31DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024799Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:34.595{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10064B0579E493A82CB17C42F28D888,SHA256=D54ECE270136E34331C5FF32780BD99753580040383F0EFDC1B67E9625C01C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043755Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:34.426{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA2F17105EA147C2034CF4B85D28E74,SHA256=898A7518581C4A75846F5B76DD7D2289E37F2E7E87FA041D7C5BFA98A0E81DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024800Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:35.611{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5036D6C6E421600F9178D3338BBB642,SHA256=F9F58E8CFA7B77BC32BC173A507604C0B1E671D71DC38E56F1C74840A3927FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043756Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:35.440{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5F64F68337DBFEA8DA74BA0DC540A0,SHA256=06C16CDCE3C6BDDFA68FF5D6B76E518DCF4C6AB18DA6F00DE089EF47FB296C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024801Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:36.611{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2604D7A7843AB0716EF9059B5ADF821C,SHA256=C9534FCB5D815C0024FE58C92DABE263751E8AEB7D4D0F68815131C8DAAC8FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043758Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:36.473{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C480385D63C9BE85467F84F00D189E,SHA256=455A8D05DB83DCEF71EBE4585829DE80BC24461C7FBEEF475033E1574F97531C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043757Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:36.172{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=33B9230349D431578A2B7A519E4CF8D0,SHA256=E6BAFCB28AE008FC1CE2056224D7D39E4A6F744EB48F4DC0AA9C140C3345733A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024802Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:37.611{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29538F3BEA7D37F5B1C65187C6C6967,SHA256=5D898E0E812C5FB3E6E61ACFE006DB458E2D79AC6F8352A08760E01ADBF22C66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043760Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:35.834{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51579-false10.0.1.12-8000- 23542300x800000000000000043759Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:37.476{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0F5DBE454F675F0590EE621D326999,SHA256=9BC4F5531AD1A9DC58296073E47E2215342652CE792F9D29B4759C7AD2305099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024803Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:38.631{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0C4E16C25FC420E32F61B087FB012E,SHA256=8F58B05DB08B66255C077E00A6A8363FB55288F70FB11F1D313BDA584407A320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043761Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:38.495{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CB5E186BB7FB6F4C5DC43DC3B557AE,SHA256=323AA382EA4BC56E6CDB4BCF0EB11BAD8630A597AC828514570B2034DBF01154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024805Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:39.662{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79EC160ACD5AA6A98825B129A127AAE,SHA256=5C002764097405C6673B0ADD50CE7C32F28F83D070A213598E066BC94FB5016F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043762Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:39.526{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787206796E694B0F14A188A5E080347A,SHA256=A315A929313B517A90BC6A9A528AB3F514BEB53D15991B92091BE20919FB64AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024804Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:38.020{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024806Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:40.662{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA39B45A1AC378DFEE466F6F9F78415C,SHA256=2858EF2462C2A4CD514D4DE4D035349528E3310B4066F02285E80B976870ADE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043763Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:40.526{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BD3A4A31066C136D246AD2DF3136E2,SHA256=58235EB352E33893D73D1DF523513863D90F0C25460BE9EAE83D1D9AFAAB9EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024807Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:41.678{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B061282196C393D69185978D419DDF26,SHA256=B0B5938C20F38D0D4A115260F4BA2F6E56BB1C06C26CD77BA8A25FF1B4940884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043764Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:41.556{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F83E220ADA8A5944DD841DC304B4D86,SHA256=57A23D746BEE882B1EB2C01AA06DBECEF1483B9C6A40AEA5F956D10BD18A71C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043765Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:42.557{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C894FB12DA81BE02883379097EDD450C,SHA256=72C48E964D66A4E958C8519AA4D21F5B866C59C6775A0CC8B6B2259A262AAC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024808Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:42.678{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D880E92AF2ECE0560EE5EB0107A378,SHA256=8D08C60E3F1BB4F3E76F0D2AC8AFCF4DE890879F203069FE3293082FE06FF746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043766Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:43.594{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E71517C459C25FAE12D43382809180E,SHA256=977CB228C32BEC24B8E71638F6A5B6953CF2DC77366A8A5815151F236D075E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024809Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:43.693{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55E20907A0A1590F0B5293702BF6658,SHA256=AB9A045F2965903989874EB1E7301B3D35BE5B6888F1DD3E82A4CEB53288A382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024810Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:44.756{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993255FEC9B0A3CF0E7F0EEF2E0A0589,SHA256=29A26B1640371E66F2A6C4A238800844B2F26D633F0E4A75A920EC0E49A0481B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043768Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:44.624{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82039DEE7A731CDD79BCDD37C32956C,SHA256=4560B09F04822523C282F4922468CD04E7C3B7E6B7095780664B4D47A4E9E324,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043767Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:41.803{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51580-false10.0.1.12-8000- 23542300x800000000000000024812Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:45.756{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55B8BEB4C63AC5A9D50A6D4463D9B5D,SHA256=B2F1772ED7D9F83E99B1B65DF35277A7EEECF8E139282AFF5D9362B87932CD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043769Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:45.639{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49B2C2E7F479CB28ADEAA949C3DF43D,SHA256=48DF10F055A1EE14DDCA096505A0D78A9739E47E7712569AC56B79CDEFA1D7C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024811Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:43.946{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024813Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:46.787{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1319D6C790A04B70BA67ED7D04C76B,SHA256=BF4890024173B8FE54A7354E00B78A601921E7EE7170796AE1C974245AD7880A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043770Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:46.654{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95ECF002362985698AAFD8EEF4FBE94,SHA256=3C17D9E51EA2101F494F34F7E8F75CE8D3DFE41587233D4D49138A2420A85ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043771Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:47.671{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6599449A010151A001915DC26B70E180,SHA256=62B41A6FA8318B85F8DFA6C8C195509B342EE0B15F3FEEA2F048079FA82506C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024814Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:47.787{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9410AAE78E4F0E583EA36E06FE2C83D9,SHA256=B799155293547B032137649FE8274073B095F6090369E9FA690BD7BD5E18CF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043772Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:48.706{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AA956B3675980F183D93634774E3A6,SHA256=845BCBE3525B718F18A4CE86544F34C91CC3794D1C5A1112AB32646A68CE6418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024815Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:48.818{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B887B92A618FE89F602DA5DB833449,SHA256=F4FA0D337A4765A24DBCB3669C9A6ABE7717D3404FD4E33A1EC8EA365258A7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024816Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:49.850{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87BE138D2C7F9BD0F68D82B021D1B44B,SHA256=B1F7DF3B134F12428436673F1048EB776D297F03091829F753C6C1307D428B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043774Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:49.737{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69B9666B35E7E72B0DE2A2905E272B8,SHA256=331528C81BE577F79F359E13695CC8E363E5F0AA5EF92260E5FC24B724EE0A88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043773Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:46.848{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51581-false10.0.1.12-8000- 23542300x800000000000000024817Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:50.881{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23258E8C21300E9C9C9BD82832B4A93E,SHA256=9EF08E9E0C1BDDC6E8765576ECD23703CB08CAFF4D50AD8A0D6E8DFCEBEA0961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043778Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:50.771{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F28E2154AF29C5F1B719F2EB06E5905,SHA256=02643385AECEFAD92BE5FCAFBCDFFD14881253E0AAD781AEA443EB308C7E3D74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043777Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:50.290{323FE7D8-022E-6136-0D00-00000000F001}9042288C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2D00-00000000F001}1684C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043776Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:50.290{323FE7D8-022E-6136-0D00-00000000F001}9042288C:\Windows\system32\svchost.exe{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043775Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:50.290{323FE7D8-022E-6136-0D00-00000000F001}9042288C:\Windows\system32\svchost.exe{323FE7D8-0617-6136-F403-00000000F001}4476C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043779Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:51.805{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6A7DB0176795F1C94A66013BA56E85,SHA256=6F63E5F12039D7769B7DBBACA1917FD14D5BE363560926D544ECA9D66E5FDCCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024820Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:51.896{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C771B292127F4002752C3FE1484824,SHA256=5D1691C346F8F252331F6EA2AB8902BB95B8BD8D2D7D33BE1B0A1418B9CAA8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024819Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:51.568{FFF7FB96-041E-6136-1200-00000000F101}1020NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BADA7853F383D86C355A65703805952F,SHA256=6B1965BCC71C811D3A624F3F9F01C48B94F413416C5BBA3A07C861C0EA6CB9E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024818Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:49.009{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50844-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043780Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:52.835{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D8EF82BABB896A91F77100B61F0678,SHA256=70FF72E75CC5AD274FA50DBE2E1D1CA4B29718B3080632159F6FE37F195266B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024821Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:52.896{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F555550F13DC770C958A4036F2DF2E,SHA256=9BA3CC8C06996545D2BB05C2C9FD75BAF8188F950091D48BCE783148266E3A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043781Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:53.903{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC84FA0C6259C5D87FBF62E8185D7363,SHA256=8D4D6711ADEDBACA7C2957B27ECE8DE77D5304957F5F6DEB66FAAC70405C8629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024822Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:53.912{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F464508913361A027D9A0C18208E8B0,SHA256=EE082615CFCB9DE26CBA80AEFA23C0D702F3FFB41209DE5F9D65FDC3E39ACD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043782Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:54.934{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A48DE880A21437DA45549E0E0ED427E,SHA256=E996A2F470290F73AF549B5B1C123EAE3C3B4F6043F1B2AA119A819ACEA7F9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024824Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:54.959{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A318D3416DECE8F7A4D0F9A3772DE2FF,SHA256=8A651EBA3DB4E41804422AEFE4693D955DDA530D54C5F9764E8C45456E5131A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024823Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:53.065{FFF7FB96-041E-6136-1500-00000000F101}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-353.attackrange.local50845-false69.16.175.10hwcdn.net80http 23542300x800000000000000043785Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:55.968{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D47E114333F032A2E19EF5179ACF068,SHA256=71E0F1294C97AC69B99FA8E0835F4E262AEC364CCF757CE941ECC8EA9E976DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024825Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:55.959{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AE28AA614270D56F439A9EC113C144,SHA256=205742FA70B6E2F0FBDFA7BD206FEFE2830FA0423F13FD35D29DC1612C55CCCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043784Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:52.840{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51638- 354300x800000000000000043783Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:52.698{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51582-false10.0.1.12-8000- 23542300x800000000000000024827Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:56.959{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD0AC64E5AB185213C83340AB4B61AA,SHA256=5197C627831ECEAA6FD56D4CE0A5FCD1546A066FF8CD98AAF2375A83B36D8277,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043786Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:54.069{323FE7D8-023F-6136-2E00-00000000F001}1500C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-456.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal58734- 354300x800000000000000024826Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:54.931{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024828Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:57.959{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4773F5B8166FCF41CCFAF6283A4AAD,SHA256=30BF04D5A7DEF02B22C3C1E5DC14BDADDEA73C14CB9E62A2C24B58161ACBD0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043787Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:57.001{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F68668773BA7EE51E7C00BC244E5261,SHA256=B43B87A7E92C632CBF9647BEF4DE938396FFBCACCF3C5084DC70A30D0580640B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043788Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:58.016{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C08E3869A439227EEAF12EA4AC96183,SHA256=D3B38624F746F3D17C7E3A07990EEA6AA75902FF0C3E7E8556BB6B29C1C67FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043789Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:59.031{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B188299D59E0F60BA7ABE3F62EDCCB94,SHA256=2F4CB90F9ED78A0213ECB6BDC350D9558DA82F605E733A87FF7F0F8B5CD8D487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024829Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:36:59.045{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9649278FAEBCE6ADBE2551F1C8FCF6B4,SHA256=738EE5508BAFE068C72907A7B1BBB46A5C1F7E45D34A9E6FE3932411549AE90E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024830Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:00.045{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F774A89CAA6A5874CAD82E9F1983AE,SHA256=4269C6DBB28678481C4EE8F0880886E3094C9B31D49826F5D9DCF7D91B0091B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043791Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:36:57.710{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51583-false10.0.1.12-8000- 23542300x800000000000000043790Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:00.046{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22898BA185219D7153C4F0A98F963D3,SHA256=AEBDC35B4DFE2BFE451EC678468FC722B3BB643F05883566DA2691D238107E9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024832Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:00.001{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50847-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024831Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:01.077{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50B1E29A924C35750E9EDB47FBF3DE0,SHA256=A4FEA61B5F848BCEB4C897A27038A096EC937F3DC56EB61D26C5B6BEA77FF03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043792Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:01.082{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341AEAF959E36ABEC94018B6F18D0CCE,SHA256=DB6157B3C106105D5E7E053785D3EF82ECC0616EB9FB589C9232B808CE9E8214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024833Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:02.123{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B71593DFF9C72FC52386608F65B9AD8,SHA256=351951EBE8ABDBEE5AA7A34E9889C5DB4D996C29F237AA5DA647E72ABABFD14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043793Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:02.097{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F05F98D018B4B3C450A30EAE17D848,SHA256=E379008B89269912D22F83EF49B10FA5D5A02E4D0A0144DFAF4950001958F0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024834Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:03.139{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119B84A6AAF1E3AEA854B1B07348586D,SHA256=15CFC8DACD0E8CFB030E8F786A25E09E0D9F0D3AB7CF6037D77172ABBC54B40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043794Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:03.112{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A863556C7E11A6F27C5DCDB8AE470B6,SHA256=3D837FCDB6555B5F1DE0B30E35DFD57C883DBD9FBC5380C8FEA8CEB20B5F335F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024835Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:04.155{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B26DF9FD853E0FEC75104E10052CC7D,SHA256=8DD63C80CCB77D1D9595930ADA0FDA109B7280F441F1DB28CBABD544A53D55D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043805Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.611{323FE7D8-1980-6136-BC08-00000000F001}4932364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000043804Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:02.837{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51584-false10.0.1.12-8000- 10341000x800000000000000043803Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1980-6136-BC08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043802Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043801Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043800Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043799Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043798Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1980-6136-BC08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043797Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.411{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1980-6136-BC08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043796Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.412{323FE7D8-1980-6136-BC08-00000000F001}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043795Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:04.142{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB95AE3A0ABD0E6B0A31D364187F7DA1,SHA256=5D33043047565845D77F9CD637D45417EF123BEE46E57023A6BE309F51B47D82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043824Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.762{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1981-6136-BE08-00000000F001}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043823Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.760{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043822Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.760{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043821Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.760{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043820Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.759{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043819Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.759{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1981-6136-BE08-00000000F001}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043818Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.759{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1981-6136-BE08-00000000F001}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043817Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.758{323FE7D8-1981-6136-BE08-00000000F001}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043816Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.426{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB50FB5EE8B83691D240C435ED24149,SHA256=349016206128673D0673C9F66BC345E7059582842290AB9A87B76979073128B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043815Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.426{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33120D223A941700840F61A3CAD468BF,SHA256=C91B6F45A47A5EEFC50BB145F9CF16A812A678E564AFC6219600B5A704C7691A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043814Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.164{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D4BAE7DFF7D3F1A076C37D404B6C25,SHA256=126B23D7D9C249E5DE9CA2FAA6584167657C5AE8ABDE116EDBB52F8E456203C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024864Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.985{FFF7FB96-1981-6136-3606-00000000F101}33441120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024863Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1981-6136-3606-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024862Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024861Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024860Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024859Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024858Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024857Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024856Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024855Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024854Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024853Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1981-6136-3606-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024852Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.795{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1981-6136-3606-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024851Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.796{FFF7FB96-1981-6136-3606-00000000F101}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024850Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.608{FFF7FB96-049C-6136-9F00-00000000F101}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024849Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.170{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F073FFBB6C39F7231BB14E556EE9F5A5,SHA256=EE2A392CD69568A178693A1BC714AC67F71BC026A5E8BC0E816BE1BB0C7028DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024848Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1981-6136-3506-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024847Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024846Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024845Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024844Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024843Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024842Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024841Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024840Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024839Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024838Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-041D-6136-0500-00000000F101}412528C:\Windows\system32\csrss.exe{FFF7FB96-1981-6136-3506-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024837Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.123{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1981-6136-3506-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024836Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.124{FFF7FB96-1981-6136-3506-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043813Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1981-6136-BD08-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043812Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043811Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043810Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043809Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043808Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1981-6136-BD08-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043807Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.095{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1981-6136-BD08-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043806Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.096{323FE7D8-1981-6136-BD08-00000000F001}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024882Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.439{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000024881Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:05.033{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000024880Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1982-6136-3706-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024879Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024878Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024877Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024876Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024875Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024874Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024873Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024872Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024871Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024870Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1982-6136-3706-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024869Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.467{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1982-6136-3706-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024868Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.468{FFF7FB96-1982-6136-3706-00000000F101}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024867Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.170{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2035A6B44E075FC397BC92508F6F3DE2,SHA256=D891C5C9AC6B832B351F6BE11770FFD4732C0554C03FE864F55514304BD500F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043826Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:06.561{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB50FB5EE8B83691D240C435ED24149,SHA256=349016206128673D0673C9F66BC345E7059582842290AB9A87B76979073128B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043825Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:06.179{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D705C8900C62E9ED2C723E5D96AA2A,SHA256=3AF62350EB242C8D018AEBC945D98D99190036FA56593D6614F344D9AC293D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024866Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.123{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=042E086AF62B4D1EAF80D7027AE45849,SHA256=377E5CAEAA71E5EE87192C9B7C7D261E8319DB9D40DCFCFACF2400E9C1005879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024865Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:06.123{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA2A1ECEADA3E2200AD7EF0D5786F9CE,SHA256=9F3BA2451A6336944B2750CCD6B8B76628C1C0BE2D648FBB29E7C829CAAE7157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024898Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.545{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=042E086AF62B4D1EAF80D7027AE45849,SHA256=377E5CAEAA71E5EE87192C9B7C7D261E8319DB9D40DCFCFACF2400E9C1005879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024897Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.498{FFF7FB96-1983-6136-3806-00000000F101}32122956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024896Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1983-6136-3806-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024895Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024894Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024893Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024892Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024891Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024890Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024889Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024888Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024887Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024886Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1983-6136-3806-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024885Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.358{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1983-6136-3806-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024884Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.359{FFF7FB96-1983-6136-3806-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024883Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:07.202{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EF2BAF8894F9B97D09D894426A2DE4,SHA256=37D6B4D00DF59473CED4C399513F4125C62D96B9122D4CD800C244DEA9F96CB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043829Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.137{323FE7D8-022C-6136-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51585-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 354300x800000000000000043828Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:05.136{323FE7D8-023F-6136-2800-00000000F001}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-456.attackrange.local51585-true0:0:0:0:0:0:0:1win-dc-456.attackrange.local389ldap 23542300x800000000000000043827Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:07.194{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AF141716D8E3FAD8C609902A3DE5DE,SHA256=90DBDC1132227CFBB2001BA115471CAA8F99FF3860E895A85BFADE4263313575,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024927Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.858{FFF7FB96-1984-6136-3A06-00000000F101}25643016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024926Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.717{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C353377C59B4831CE928CAFE7F777043,SHA256=21EE2E16B2A8646FDD9127E9B5BB4363673A73B771C2316A666BAB68579D219F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024925Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1984-6136-3A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024924Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024923Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024922Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024921Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024920Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024919Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024918Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024917Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024916Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024915Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-041D-6136-0500-00000000F101}412428C:\Windows\system32\csrss.exe{FFF7FB96-1984-6136-3A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024914Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1984-6136-3A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024913Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.702{FFF7FB96-1984-6136-3A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043848Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.908{323FE7D8-1984-6136-C008-00000000F001}63161828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043847Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1984-6136-C008-00000000F001}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043846Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043845Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043844Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043843Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043842Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-022C-6136-0500-00000000F001}408524C:\Windows\system32\csrss.exe{323FE7D8-1984-6136-C008-00000000F001}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043841Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.739{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1984-6136-C008-00000000F001}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043840Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.740{323FE7D8-1984-6136-C008-00000000F001}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043839Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.293{323FE7D8-1984-6136-BF08-00000000F001}38405384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000043838Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.208{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE1E3933AC520BFE7584A1EA5D27B1E,SHA256=67DBEEB051B12455FACCE7B8F6239B8B3FE6F629DFD1BBAC2069B9D6773260B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024912Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.170{FFF7FB96-1984-6136-3906-00000000F101}7001704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024911Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1984-6136-3906-00000000F101}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024910Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024909Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024908Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024907Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024906Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024905Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024904Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024903Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024902Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024901Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1984-6136-3906-00000000F101}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024900Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1984-6136-3906-00000000F101}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024899Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:08.030{FFF7FB96-1984-6136-3906-00000000F101}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043837Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1984-6136-BF08-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043836Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043835Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043834Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043833Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043832Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1984-6136-BF08-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043831Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.077{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1984-6136-BF08-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043830Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.078{323FE7D8-1984-6136-BF08-00000000F001}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043859Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.576{323FE7D8-1985-6136-C108-00000000F001}58165032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043858Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1985-6136-C108-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043857Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043856Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043855Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043854Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043853Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-022C-6136-0500-00000000F001}4083512C:\Windows\system32\csrss.exe{323FE7D8-1985-6136-C108-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043852Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.423{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1985-6136-C108-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043851Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.424{323FE7D8-1985-6136-C108-00000000F001}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043850Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.223{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3274DB0EDAD92A9075247E938CA1D6,SHA256=E25A6BADBDE899B418CDD09D9BB82A5F5D0D229D8BE077FB63CBD37E25F28756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024942Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.393{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\respondent-20210906120554-088MD5=4761C661187147E55C9BD88F93ACDD3F,SHA256=E49051AD655512C416AEEFA39D6145E31F50204E8459201070596158B48A8487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024941Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-049C-6136-A300-00000000F101}29283756C:\Windows\system32\conhost.exe{FFF7FB96-1985-6136-3B06-00000000F101}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024940Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024939Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024938Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024937Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024936Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024935Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024934Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024933Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024932Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041E-6136-0C00-00000000F101}728860C:\Windows\system32\svchost.exe{FFF7FB96-041F-6136-1D00-00000000F101}1952C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024931Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-041D-6136-0500-00000000F101}412960C:\Windows\system32\csrss.exe{FFF7FB96-1985-6136-3B06-00000000F101}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024930Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-049C-6136-9F00-00000000F101}4162952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FFF7FB96-1985-6136-3B06-00000000F101}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024929Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.375{FFF7FB96-1985-6136-3B06-00000000F101}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FFF7FB96-041D-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{FFF7FB96-049C-6136-9F00-00000000F101}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024928Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:09.062{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6BF644B31CBDA3FCE772381BBB3DB0E,SHA256=E5C76F2DDB3C07854C366116FF015A093FFE64979316D15F302AF5CC5CA79FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043849Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:09.092{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57D2B1669CE2BD301C22AE2426A770F9,SHA256=A74A17EFF0D49A3A5D109B0340560C8D37D98C6A4FFEF816A856C06310DADC81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043870Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:08.649{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51586-false10.0.1.12-8000- 23542300x800000000000000043869Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.423{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FB46BD8DAAEE5F33D2585C26B8BB551,SHA256=CE401264C437BFCE5E8224F59FEE55EAA3D300EC0FA2C982BCC649FD1BC4F4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043868Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.241{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946E8D9ADCD041518562DE13C6F58055,SHA256=BEC1207FD1DE2E613C0EDBC2043FC4FB346D5FAA27CAB951F1377DDA14BB7E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024945Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:10.395{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE2B2328946CD4E6B7E45083D251DB7A,SHA256=AD0FB4AC34E84525B4215D3E8DA77003B9924B3CB1C43B962336F7A3A0442A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024944Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:10.392{FFF7FB96-041F-6136-1A00-00000000F101}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b9bcd2584272427e\channels\health\surveyor-20210906120551-089MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024943Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:10.219{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F616057449869B61A1AF23C7B659CC15,SHA256=DE530DC5C667DAFB868B836D43F41DE040AE3059AEB1DC4A339FBF04182680C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043867Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-02BC-6136-AB00-00000000F001}38723380C:\Windows\system32\conhost.exe{323FE7D8-1986-6136-C208-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043866Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043865Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043864Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043863Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-022E-6136-0C00-00000000F001}8486244C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2F00-00000000F001}2368C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043862Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-022C-6136-0500-00000000F001}408424C:\Windows\system32\csrss.exe{323FE7D8-1986-6136-C208-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000043861Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-02BC-6136-A700-00000000F001}10363440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{323FE7D8-1986-6136-C208-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000043860Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:10.092{323FE7D8-1986-6136-C208-00000000F001}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{323FE7D8-022C-6136-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024947Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:10.050{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024946Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:11.220{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A624BEC899984849329FC43771E944,SHA256=AE63E9396660E7844F5B68377E6AC86B8E015031169DDCB7786EAB433A9FEE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043871Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:11.257{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9B85047EA67FA21B2EC570FAC61A70,SHA256=A6FAE770A4D779BB65B7A9C736FB156E2DDBCFC1CE5300D4B9CB8DF7C6A636A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043872Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:12.277{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DD34C424717F6DEFCB9E6CDAAFF94A,SHA256=B9B6F2C9280E4240FAA96EA36BB341AF013E9894E1A4CFD7A8A9DB237DEEF40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024948Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:12.236{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D33A11B3FB29BF12744645C9B055014,SHA256=87C996B3F922FA6682BA757C1899B217EBA0A3AA6DEF736890B9305007A3860F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043873Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:13.278{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BEC05CC7D9A182A71CB373F9F4FD1F,SHA256=3821A76CEC8ED64F264D1C67B23E484C4819B597C5FF1BA72E7386BDDDF18484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024949Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:13.251{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD1C5F4D6BC36ED203CE8A918097446,SHA256=211334653BAE8319F4164C7FAE14F1DF1775E251CD20D220F493B27D19AE0E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043874Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:14.294{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F315D77E350D4DBC7DB037ACEE2FC2,SHA256=60A62CE117C87873A884870EA080A0102A5C3E482A57CCBDF9A541DEB3F93C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024950Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:14.251{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012E09E259C258504A162FB12997A1B2,SHA256=304E4AECCC9D5E011BEA2B5038F3F83191FF9BDDD73109C85B3BA3FB5F4C8906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024951Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:15.251{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFF6007FC309B4EB1C84F1389C90517,SHA256=51410FC11F26958EF67EC95813442E5AEAAE791BAEE05BA71E25F83026A67D5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043876Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:13.803{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51587-false10.0.1.12-8000- 23542300x800000000000000043875Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:15.308{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46259948B36ABAFA9083B8DFCF70A08,SHA256=4B59DF78562801E8A85C432A5AD0B584707D785181706F865ADFC61CB881B030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043877Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:16.324{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176E307CCFBD9C44A434A267376F34DC,SHA256=C23CE5F1FE6D177376561E7109243CA40E3B4A3EF6A5647B5CAB7A1546C4CD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024952Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:16.267{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D416D134B7EFCC5D7DA2A20979C524,SHA256=904B5DB31DFCABE4119A1B4C7187D423E880AE4033D9C1901828B75A75E3D84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043878Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:17.340{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440024691999EBED6D19B1ECE7537FC5,SHA256=E57E829365A7FAEEFEDC4CDEAA56DA01F8AC3EA6BBE0E7766A848A888F2A3FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024953Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:17.283{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C08B937EC20DA5FF272DD478F0F9D6,SHA256=B921A5119BBE0A6B500009AA3A1A6AB873824FF85135626845BF87809A498C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043879Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:18.357{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF68ECB59443F43840DD2AAB159DA244,SHA256=CFA3830C452FFE4ACAD01C06501FF158C4A0EB924362EFBBE1D8C82208CB7992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024955Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:18.283{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA3F2A8D461FDFB3251C97D1CBB3EEF,SHA256=2A15036FB4CB73004140EB436B6DA50BCD52CECD5CB6E867A746DC84EA2CA8E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024954Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:16.004{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50851-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024956Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:19.293{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2030572B9FF0441E475A34219FB734,SHA256=BD78F22CC683936C44C8B2265EE01ED13C52D06F3BDA1E21150748FC75B09EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043880Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:19.376{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F977B6AF31FD4927ABFDDAB1D723E4,SHA256=D48DA938631548F3DB8695DB5C46653C4926BCFB9126432060EC5E81AABA506E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024957Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:20.298{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8837E18FC05ABEAC75B412E18935B8A,SHA256=3BC6FF6317A6FA0E6AAAC01072BA1EC1FF1A5983B2AB176DA3FEC7ED37660624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043881Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:20.391{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469EA52818767060CAC6DEA184D5BECA,SHA256=2534C34817A9E6E5271094B033E9F07B02910BFCA47DF58C0E8FBC9B12DA8FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024958Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:21.309{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132BB09B211C8655816D6616EB221B69,SHA256=809FF86DD3DB40DAC5F78FE1B22DD3F91CCD7733BAF88AFF3F251506E94BD11D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043884Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:19.670{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51588-false10.0.1.12-8000- 23542300x800000000000000043883Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:21.392{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED8ECE01BC7595C2C4783DEC5EC3F71,SHA256=59D31973A1017CF2863139835F343A86D279C871D574A42522829B1A86DC5E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043882Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:21.025{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\respondent-20210906115753-096MD5=58D52BFFD80488B8005F7C319C2D4334,SHA256=B9D8441D1BC2ED8425146F5F211E2A21C477807F4E0B7EBAD9811C868FAB9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024959Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:22.309{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70172537A4595D05B9F5FE24E5D81AC,SHA256=BCE66DB5E6D94ECB7907EC16088C4FEC7B4ABD6EDC1CF2858A35673A4BDC7A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043886Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:22.392{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644982BFFD2D54ACDDF5A0AA1DBD4BF6,SHA256=58DD4AAF43B576D80071B1346461D4B7BF5666760957B564EF60214C3D2B931C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043885Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:22.024{323FE7D8-023F-6136-2900-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fa896e07c0bdc047\channels\health\surveyor-20210906115751-097MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024960Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:23.324{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C25F055E83F7F966AA55CDED7C943D,SHA256=B92281ED8F65EAC8850362C9274F8CF1B18F8757BA4A603EAFB59EE076069FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043887Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:23.423{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B62AA73FC68158BE06EF3B3E4CE57F,SHA256=8987AA4CF263E7A7CAC28575329426F419D0CED585335E9EBD46C35400C4906E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043888Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:24.457{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBE806F6DF993D91B518AA87FFB0C7E,SHA256=13BD3D00CB90DDA092D6881C661D51C44C3EAABB1FDFA994007D9D637A831BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024962Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:24.340{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE643B15CC98591FADB96034E5063E46,SHA256=99C45A36A2C490F3962A8A671AA5B3A9878012EE75889F6A9799E185A00B70C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024961Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:21.999{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50852-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024963Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:25.356{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE6F98E70D5D418357F35185D2A755D,SHA256=AAF0FF7978AE6C247B50CED2F286E30B28CA1F819119F2B8493FE5EC00486549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043889Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:25.475{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B622B98F0780A079DF188AEED7525886,SHA256=97FB520325E0013D029734D483A7962A2BCB6182A61BD40583F43A132E53FD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024964Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:26.356{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8493F4B93D78485CF42EF9754EE8CE,SHA256=077E66626BAEEE44AEF4183F9E4D7B2CCF0E81EBD7BC11F69AA84F15704116CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043890Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:26.490{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D882FFC6FBC0D88A3CBE1BD5FADF110D,SHA256=85456ADC7F07129CA0F6169F987D1265C2714B8EDAD42B1713BBF986BBD02362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043892Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:27.504{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83ED232A8A6BAB249A82EF7901C99D10,SHA256=2D972D1F3193352B720DEE052ED21E77F50F20D7A5074ADE583E3987F5E9BE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024965Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:27.371{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D326F78CF942952135A481D65637DDE6,SHA256=16B5539FB7EC6826E4F4E536E6823CED3748F038E7B45161DB8E0D96BD39903E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043891Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:24.785{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51589-false10.0.1.12-8000- 23542300x800000000000000043895Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:28.519{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B781B87354E903796343D3BBF9918B,SHA256=34E25552C0D4684C313D8A22080953A5D388816FFB4A7622BA6EBEFB4999017F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024966Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:28.371{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE091B1CF01674F298C049D1B6064B4E,SHA256=EB34BF4FB046A8446759C9A9471C43220C5926F32F49624A0517F8BA29474232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043894Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:28.488{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BFAE9961998D13F4D29896EACED9A72,SHA256=586F0A6C42F50DD55B85DEF5052B3B6372D10212C05DE56FA7366F0A606890F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043893Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:28.488{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F133DF12B8EE5EC619F149266248C0B5,SHA256=63E826F8B047834DEED81C1A3645FC8287C734546EFAF357AE3D80CF97E683C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043896Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:29.553{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DA489047A0C84991EF3C6F260BB6F2,SHA256=2684E0D05302345AA6A6D8ECC8A4B57E4F63B777B91AA432365AC2EA2B7AB9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024968Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:29.371{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5216EE02D84AEE20D3826CA12D130D1,SHA256=ADCE8D84200B7BA21951B8A459079E8CF105C97601D5DF29EB22F7C52E6B2B38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024967Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:27.030{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50853-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024969Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:30.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8586E96D5D7B25E98E1EC756D8F8E232,SHA256=E5C274D3460123FA1AA063C5D40CE486ED5E2262F51586050C93BF5C00DD6AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043898Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:30.586{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09158CC8D81E3B2C4823C4BD9849C88C,SHA256=6C1BE7EA1AD9E3516646DFABB783E94F8D6B368C2E2E58EF8683361E6B05C80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043897Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:30.118{323FE7D8-02BC-6136-A700-00000000F001}1036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8750129871E9EE1AE91141A9C8CE0636,SHA256=C066BDADBFB71ECE261FD3732B901F6742FA9775152EB875557B7910A2C937F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043899Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:31.617{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F709401ADAB7DDC4EB39F564FCBB6D,SHA256=DD7EBFBD8E0F737A35B645CB367C530D24568C584C96D4B08900052C0E1367D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024970Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:31.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD33FDAE9660011A1C48093D41BEB6D,SHA256=41BB90C6518A0B667E3D7D9E5DF1475D89915DF4E52D9045C64EF1E61DCAE0FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043901Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:32.653{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68587E8C2BD040CC80521C2A84B6E58F,SHA256=6D670E7814F35323E059B0042B58E35636B0501A159DEB0C816370A4470B1478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024971Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:32.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264F73542A6E8BB342E28A9BF4337199,SHA256=3BAA9ADC9408330955C0B6E6986F4E47BE07226970AAB230935315BE03A7C731,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043900Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:29.697{323FE7D8-02BC-6136-A700-00000000F001}1036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51590-false10.0.1.12-8089- 10341000x800000000000000043904Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:33.769{323FE7D8-022C-6136-0B00-00000000F001}624812C:\Windows\system32\lsass.exe{323FE7D8-022A-6136-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000043903Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:33.685{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FA119C924D5CAFC695C385EF9991FD,SHA256=9E7CA7F449A6721BE1A09BB583350A0040B25F2AE1E1CB51D30C3B1A10C8FC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024972Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:33.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664C2DC63233D8938D0A2BC8E19D2AFC,SHA256=E1066DAB4017891AFB77BD5598BB9238CBECEDE38E73FDF72C90F358C158A851,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043902Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:30.665{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51591-false10.0.1.12-8000- 23542300x800000000000000043907Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:34.784{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C82AB87BEE153B176860E32796E221CA,SHA256=B707E4B33F2A8C501A4704FC2E572F3327B1B9FBDEB667CAC077BA0EC404B8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043906Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:34.784{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BFAE9961998D13F4D29896EACED9A72,SHA256=586F0A6C42F50DD55B85DEF5052B3B6372D10212C05DE56FA7366F0A606890F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043905Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:34.715{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70027C90F9F30599C8E2124E34E59A8,SHA256=B96FBCC19307565A049CD7CF8FD40D50A03BA589D853E3EAFF8F02F01FBB950B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024974Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:32.108{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50854-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024973Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:34.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E4008AFED6B8495376C19015101567,SHA256=2FD0B285BD5BA0578AADAAAB0645DDDDB2434DAA3A340C5820C646BAAFE15760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043912Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:35.730{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E8E7CC113C75F0023F3D10A4A24142,SHA256=86E489A949409D98EDA6E7853956B43CFF29AE9709CCEAF0C5A97398571DF51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024975Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:35.387{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D18F0C1BBA7A5BAD477C1D94210820,SHA256=1B4D1EA0DCA3861DDBBDEEAA5BCB2379514666CF980FFCEF37928F78505853C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043911Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:35.515{323FE7D8-022F-6136-1600-00000000F001}13082520C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043910Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:35.515{323FE7D8-022F-6136-1600-00000000F001}13082520C:\Windows\system32\svchost.exe{323FE7D8-023F-6136-2B00-00000000F001}2976C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000043909Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:33.365{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51592-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 354300x800000000000000043908Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:33.364{323FE7D8-022A-6136-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local51592-truefe80:0:0:0:2066:3a74:49be:6c1bwin-dc-456.attackrange.local445microsoft-ds 23542300x800000000000000043914Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:36.748{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4A8B92D6C772A9BE87EBA09ECFF6DA,SHA256=D297DEE211B3052A84EFD9A9689B979E9BFDA977CDA84E8D3C60A4FE24E0A9D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024976Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:36.403{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBCFE53E9E6782AC89C5670D94F8F90,SHA256=992D15D271BF230E1DC2F890C1F74CEB0E6657E20B4BA612E7AC49517459C620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043913Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:36.183{323FE7D8-022E-6136-1000-00000000F001}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B0FADE96BD0EA8FEC5C9547CE1E1FDA2,SHA256=0DA54076230CA6412588D1450BA36D333C5B580BDFC0EE1C76CE773CFAA6B1DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043915Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:37.783{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAA151EC96B5359804C4FA40FE64857,SHA256=3E8853BAE61FDEC8F0AD8894C08049BA1B519C6436169EB2E82515E183A08897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024977Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:37.403{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718FEC9B7FE789A6553BEDF0DBCCEFE0,SHA256=07DEBCF7B470061EFFBAD9EC1334A36DDEABB99FCD9F1091DE533A1AECCEC2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043917Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:38.798{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF216EEEB6117F44AEFF8FEE716B90B,SHA256=F38BA87B76B57A61861C73748E75A9073EC7A69FA7401FA2E258A1642121DB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024978Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:38.418{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB45683759D984E0C345E179620CBCB,SHA256=7CC29910F35671012EC58BBEE21964C807F006668A0159379A9DB3F33706FC07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043916Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:35.693{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51593-false10.0.1.12-8000- 23542300x800000000000000043918Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:39.829{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F0E036CC8A231B049BAF04C2EBC4F9,SHA256=BDAA1AE51F2ECF7FBAD8F1328FA988964D434472C2F0F4CD5ED5493E932A3B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024979Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:39.423{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E95D47C2595883B7121BF4CEBB4E26,SHA256=F117CBFCCCEFE40933F9A69D6A17E3F9BBD00BA5143BEF775F5CAF7273A3D0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043919Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:40.847{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE2B57955C17DCC9E9395B6E44505EA,SHA256=A15CA6FD281F364C96CAE15F7428BB0D8A2F9B72B01740C6EF18CD287965B1D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024981Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:38.077{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50855-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024980Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:40.501{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389BED404239665566D2CDE3E2C25996,SHA256=6E33C2D65A8EC3863FACC921A3A7AD5163C8770917AA92BE52FDBAC103A121B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043920Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:41.870{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1279DCCB620F44E9005CF031EB8876A8,SHA256=CC95CEE49185A7E14870489DB0F6226E2880B838A52F6964879C29FDA132AA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024982Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:41.517{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3386204EDAB437D779C73B5E0021527,SHA256=21071227AC5F0B37B8D6F6DC5A01D052A007DE2CA94D3C3B25304CE3594CF110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043922Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:42.880{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9924282B14D4306567131B7FD4EE2C0C,SHA256=E6DEF88E0F211AD6AF887FEDABAFF941550FF9C2BD2D2427396CEA0C8E6D3DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024983Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:42.517{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753A057300F03BF39E3E8E05AF5DB13D,SHA256=636F5E5FD35C005B195D0D8A06C23B66494FB2832C923E5DD5FD59A2E52CB99E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043921Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:40.791{323FE7D8-02C4-6136-D600-00000000F001}376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-456.attackrange.local51594-false10.0.1.12-8000- 23542300x800000000000000043923Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:43.895{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF45E7370ABA3501FD74D415367F32EB,SHA256=4849EE7DA108AB0111ECEB4F99978FEB152D2BCF145FD9C6F052E19ED66D0A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024984Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:43.532{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEEB3CBAE5510B061EF8F3A9183FC8C9,SHA256=0D42BB69CD4E60A7058950172726C312F6C2B922A5F991BC77AD26F896D02DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043924Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:44.925{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F590BE19D630AB1B57A1F50346CC054C,SHA256=8D33778B4E1BB7C07B35E7A94772C979A2713C4A75DB7C29908F60DFBA2D9CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024985Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:44.548{FFF7FB96-04A9-6136-D600-00000000F101}1184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0189704CEDA7F1B86C50D82C2FBA5323,SHA256=B853A9765D4C72BA1747B845A50700E18D090AB5AC7C7AE53103D7C50E5E3A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043927Microsoft-Windows-Sysmon/Operationalwin-dc-456.attackrange.local-2021-09-06 13:37:45.944{323FE7D8-02C9-6136-DF00-00000000F001}3940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C872516D16D34EAC95C8266DE222EB,SHA256=A4C0D71638874A4761F69905176417429083D2B75D242B2F25C09506B2BB276F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024987Microsoft-Windows-Sysmon/Operationalwin-host-353.attackrange.local-2021-09-06 13:37:43.848{FFF7FB96-04A4-6136-CD00-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-353.attackrange.local50856-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024986Microsoft-Windows-Sysmon/Operationalwin